PatchSiren cyber security CVE debrief
CVE-2026-52778 YesWiki CVE debrief
A critical vulnerability (CVSS Score: 9.8) exists in YesWiki's Bazar form field calculator (CalcField.php) prior to version 4.6.6. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. However, this implementation is flawed, making it vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) and allowing for arbitrary PHP code execution. This vulnerability was patched in version 4.6.6.
- Vendor
- YesWiki
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of YesWiki versions prior to 4.6.6 should apply the patch immediately to prevent potential attacks.
Technical summary
The vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The flawed implementation of a recursive regular expression for sanitizing user-defined mathematical formulas can lead to a Denial of Service (DoS) and allow for arbitrary PHP code execution.
Defensive priority
High
Recommended defensive actions
- Apply the patch by updating to YesWiki version 4.6.6 or later.
- Review and restrict user input to the Bazar form field calculator to prevent potential attacks.
Evidence notes
The vulnerability was patched in version 4.6.6. References: [ref-4](https://github.com/YesWiki/yeswiki/commit/dd2bd8fb099de0d21504bda8a810693b3fcb8e52), [ref-5](https://github.com/YesWiki/yeswiki/releases/tag/v4.6.6), [ref-6](https://github.com/YesWiki/yeswiki/security/advisories/GHSA-px5m-h76g-p7p8).
Official resources
CVE-2026-52778 was published on [cvePublishedAt] and modified on [cveModifiedAt].