CVE-2026-52773

MEDIUMPre-NVD 6.16.1
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
6.1
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 6.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision time Parameter in handlers/page/show.php

Summary

YesWiki's archived-revision view reflects the time GET parameter into a hidden HTML input in handlers/page/show.php without escaping. Because MySQL coerces malformed DATETIME strings, an attacker can append HTML or JavaScript to a valid archived revision timestamp, still load that archived revision, and execute arbitrary JavaScript in the victim's browser.

The vulnerable form is only rendered when the victim can both read and edit the target page. In restricted deployments this requires a victim with read and write access to that page. On a default doryphore 4.6.5 install, public pages such as PagePrincipale were editable anonymously during validation, so the issue can also affect unauthenticated visitors in that configuration.

Details

The request routing path uses the user-controlled time parameter to load a specific page revision. In includes/YesWiki.php around Run() line 1223, the request is routed through:

$this->SetPage($this->LoadPage($tag, isset($_REQUEST['time']) ? $_REQUEST['time'] : ''));

LoadPage() delegates to PageManager::getOne() in includes/services/PageManager.php around line 75, which builds a SQL predicate directly from the supplied revision time:

$timeQuery = $time ? "time = '{$this->dbService->escape($time)}'" : "latest = 'Y'";

If the loaded page is an archived revision (latest == 'N') and the current user has write access, handlers/page/show.php around lines 43-49 renders an edit form for that archived revision and copies $_GET['time'] into a hidden input without htmlspecialchars():

$time = isset($_GET['time']) ? $_GET['time'] : '';
echo $this->FormOpen(testUrlInIframe() ? 'editiframe' : 'edit', '', 'get');
" />

That sink is reachable only when all of the following are true:

  • The target page has at least one archived revision.
  • The victim can read the target page.
  • The victim can write the target page, because the archived revision edit form is rendered only inside the if ($this->HasAccess('write')) branch.

In practice, the payload must begin with a real archived revision timestamp. A completely invalid time value does not reach the archived branch because YesWiki only updates the current page object when the revision lookup returns a non-empty row.

During local validation on the official doryphore 4.6.5 package, the exploit worked because MySQL accepted a malformed timestamp string as matching an existing archived revision row. For example, the following expression was coerced to the stored revision time:

CAST(CONCAT('2026-05-24 04:30:00', CHAR(34), CHAR(62), CHAR(60), 'script', CHAR(62), 'alert(1)', CHAR(60), '/script', CHAR(62)) AS DATETIME)

and the corresponding query predicate still matched the archived row:

WHERE time = '2026-05-24 04:30:00">alert(1)'

This means a payload can begin with a valid archived revision timestamp, still resolve to the archived revision, and then be reflected unescaped into the hidden HTML field.

For comparison, tools/bazar/handlers/page/show__.php around lines 13-14 escapes the same time value with htmlspecialchars(), which shows that the core handler's behavior is inconsistent and unsafe.

This issue maps to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

PoC

  • Set up a vulnerable YesWiki instance. This was validated locally on the official doryphore 4.6.5 release.
  • Use a target page that has at least one archived revision. Any page with revision history is sufficient.
  • Confirm the victim has the rights needed to reach the vulnerable sink:
  • The victim must have read access to the page.
  • The victim must have write access to the page.
  • On the default validation install, these rights were available anonymously on public pages such as PagePrincipale, so no login was required in that configuration.
  • Identify the timestamp of an archived revision. In the validated setup, an archived PagePrincipale revision existed at 2026-05-24 04:30:00.
  • Send the victim a crafted URL that starts with that valid archived revision timestamp and then appends an attribute-breaking payload:

http://127.0.0.1:8085/PagePrincipale?time=2026-05-24%2004:30:00%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cinput%20value=%22
  • Open the URL in a browser as a victim who has the required read and write rights.
  • Observe that YesWiki still loads the archived revision view and displays the archived-revision warning block, proving the malformed time value matched the stored archived revision.
  • Inspect the returned HTML. The response contains the injected payload inside the hidden form field:

alert(1)
  • The browser executes the injected JavaScript in the YesWiki origin. A simple payload such as alert(1) demonstrates code execution; a real payload could read browser-accessible data or perform actions in the victim's session.

Impact

This is a reflected XSS vulnerability in the archived-revision workflow.

The practical access model is:

  • The attacker only needs to send a crafted link.
  • The victim must have read and write access to the target page.
  • The target page must have at least one archived revision.
  • On deployments where anonymous visitors can edit public pages, the issue can be exploited against unauthenticated visitors as well.

An attacker may be able to:

  • Execute arbitrary JavaScript in the victim's browser.
  • Steal browser-accessible sensitive data.
  • Perform actions as the victim inside YesWiki.
  • Abuse the trusted YesWiki origin for phishing, UI redressing, or follow-on attacks.

CVSS v3
6.1
EG Score
6.1(low)
EPSS
KEV
Not listed

Published

July 9, 2026

Last Modified

July 9, 2026

Vendor Advisories for CVE-2026-52773(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 6× in last 7d / 6× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 04:44 UTCEG score recompute
  2. 2026-07-14 03:12 UTCEG score recompute
  3. 2026-07-13 01:51 UTCEG score recompute
  4. 2026-07-12 00:30 UTCEG score recompute
  5. 2026-07-10 23:09 UTCEG score recompute
  6. 2026-07-09 21:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-52773?
CVE-2026-52773 is a medium vulnerability published on July 9, 2026. YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision time Parameter in handlers/page/show.php Summary YesWiki's archived-revision view reflects the time GET parameter into a hidden HTML input in handlers/page/show.php without escaping. Because MySQL coerces malformed DATETIME…
When was CVE-2026-52773 disclosed?
CVE-2026-52773 was first published in the National Vulnerability Database on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-52773?
CVE-2026-52773 has a CVSS v4.0 base score of 6.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-52773?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52773, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52773

Explore →

Is Your Infrastructure Affected by CVE-2026-52773?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.