CVE-2026-41143 Overview
CVE-2026-41143 is a SQL injection vulnerability in YesWiki, a PHP-based wiki system. The flaw exists in the bazar module's tools/bazar/services/EntryManager.php file at line 704. The $data['id_fiche'] value, sourced directly from $_POST['id_fiche'], is concatenated into a raw SQL query without sanitization or parameterization. Authenticated attackers can manipulate the id_fiche POST parameter to inject arbitrary SQL statements. The issue affects all YesWiki versions prior to 4.6.1 and is tracked under [CWE-89]. The maintainers patched the vulnerability in version 4.6.1.
Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the YesWiki database, leading to data theft, modification, and potential takeover of the wiki application.
Affected Products
- YesWiki versions prior to 4.6.1
- YesWiki bazar module (tools/bazar/services/EntryManager.php)
- PHP-based deployments running vulnerable YesWiki releases
Discovery Timeline
- 2026-05-07 - CVE CVE-2026-41143 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-41143
Vulnerability Analysis
The vulnerability resides in YesWiki's bazar module, which manages structured content entries called "fiches." The EntryManager.php service handles entry retrieval and update operations. At line 704, the code uses string concatenation to assemble a SQL query containing the id_fiche value supplied by the client through the $_POST superglobal.
Because the input bypasses both prepared statements and escaping routines, an attacker can break out of the intended query context. Injected payloads are executed in the database session of the YesWiki application user. The issue is classified as Improper Neutralization of Special Elements used in an SQL Command [CWE-89].
Root Cause
The root cause is direct concatenation of untrusted user input into a raw SQL query. The maintainers did not apply parameter binding through PDO or escape the id_fiche value before passing it to the database driver. This pattern violates secure coding guidance for PHP database access and exposes every query path that reaches line 704 of EntryManager.php.
Attack Vector
Exploitation requires network access to the YesWiki instance and low-privilege authentication, since the bazar entry endpoints require an authenticated session. An attacker submits a crafted id_fiche value in a POST request to a bazar endpoint that invokes EntryManager. The injected SQL executes against the backend database. Successful exploitation can extract user credentials, alter wiki content, or escalate impact through stacked queries depending on database configuration. See the GitHub Security Advisory GHSA-f58v-p6j9-24c2 for advisory details.
Detection Methods for CVE-2026-41143
Indicators of Compromise
- POST requests to bazar endpoints containing SQL metacharacters such as single quotes, UNION, SELECT, or comment sequences (--, /*) within the id_fiche parameter.
- Web server access logs showing repeated requests to tools/bazar/ paths from a single source with abnormal payload lengths.
- Database error messages or unexpected SELECT/UNION activity tied to the YesWiki application user.
Detection Strategies
- Enable database query logging and alert on queries referencing bazar_fiches tables that contain unbalanced quotes or UNION clauses.
- Deploy a web application firewall rule that inspects the id_fiche POST parameter for non-numeric or SQL keyword content.
- Correlate authentication events with high-volume bazar entry requests to identify low-privilege accounts attempting injection.
Monitoring Recommendations
- Monitor outbound database traffic for anomalous result-set sizes following bazar requests.
- Track changes to YesWiki user tables and permission records, since these are common SQL injection targets.
- Review PHP error logs for PDOException or MySQL syntax errors originating from EntryManager.php.
How to Mitigate CVE-2026-41143
Immediate Actions Required
- Upgrade YesWiki to version 4.6.1 or later. Refer to the GitHub Release v4.6.1 notes.
- Audit existing bazar entries and user accounts for unauthorized changes that may indicate prior exploitation.
- Rotate database credentials and YesWiki account passwords if exploitation is suspected.
Patch Information
The YesWiki maintainers released version 4.6.1 to address the SQL injection in tools/bazar/services/EntryManager.php. The patch replaces direct concatenation of $data['id_fiche'] with parameterized query handling. Administrators should apply the upgrade through standard YesWiki update procedures and verify the installed version after deployment. Patch sources are available in the GitHub Security Advisory GHSA-f58v-p6j9-24c2.
Workarounds
- Restrict access to YesWiki to trusted authenticated users until the upgrade is applied.
- Place a web application firewall in front of YesWiki and block POST requests with non-numeric id_fiche values.
- Apply least-privilege controls on the YesWiki database account, removing rights to schemas not required by the application.
# Verify installed YesWiki version after upgrade
grep -R "YESWIKI_VERSION" /var/www/yeswiki/includes/constants.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
