CVE-2026-41143— YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41143
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
Source: NVD (National Vulnerability Database)
Vulnerability Description
YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
YesWiki SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
YesWiki是法国YesWiki组织的一个用 PHP 编写的 wiki 系统。用于以协作方式创建和管理网站。 YesWiki 4.6.1之前版本存在SQL注入漏洞,该漏洞源于bazaar模块中EntryManager.php文件的$data[ id_fiche ]值直接拼接至SQL查询,可能导致SQL注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41143
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8184 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-41143
请登录查看更多情报信息。
- Release v4.6.1 · YesWiki/yeswiki · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-41143
IV. Related Vulnerabilities
Same product: yeswiki
- CVE-2026-34598
YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter" - CVE-2025-46550
Yeswiki Vulnerable to Unauthenticated Reflected Cross-site S - CVE-2025-46549
Yeswiki Vulnerable to Unauthenticated Reflected Cross-site S - CVE-2025-46348
YesWiki Vulnerable to Unauthenticated Site Backup Creation a - CVE-2025-46350
Yeswiki Vulnerable to Authenticated Reflected Cross-site Scr
Same vendor: YesWiki
- CVE-2026-34598
YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter" - CVE-2025-46550
Yeswiki Vulnerable to Unauthenticated Reflected Cross-site S - CVE-2025-46549
Yeswiki Vulnerable to Unauthenticated Reflected Cross-site S - CVE-2025-46348
YesWiki Vulnerable to Unauthenticated Site Backup Creation a - CVE-2025-46350
Yeswiki Vulnerable to Authenticated Reflected Cross-site Scr
Same weakness: CWE-89
- CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-46364
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCap - CVE-2026-46359
phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Un - CVE-2021-47966
PHP Timeclock 1.04 SQL Injection via login.php - CVE-2026-7046
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.12 -
V. Comments for CVE-2026-41143
No comments yet