CVE-2026-52778: YesWiki CalcField RCE Vulnerability

CVE-2026-52778 Overview

CVE-2026-52778 is a code injection vulnerability in YesWiki, a PHP-based wiki system. The flaw resides in the Bazar form field calculator component (CalcField.php) in versions prior to 4.6.6. The application sanitizes user-supplied mathematical formulas with a complex recursive regular expression before passing the result to PHP's eval() function. Any bypass of the regex sanitizer leads directly to arbitrary PHP code execution on the server. The same recursive pattern is also vulnerable to Regular Expression Denial of Service (ReDoS), allowing attackers to crash the server through stack overflow. The vulnerability is tracked under [CWE-94] (Improper Control of Generation of Code).

Critical Impact
Unauthenticated network attackers can achieve remote code execution or crash the YesWiki server by submitting crafted formula input to the Bazar calculator field.

Affected Products

YesWiki versions prior to 4.6.6
Bazar form field calculator component (CalcField.php)
YesWiki deployments exposing Bazar forms to network users

Discovery Timeline

2026-06-08 - CVE-2026-52778 published to NVD
2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-52778

Vulnerability Analysis

The vulnerability stems from an unsafe design pattern in CalcField.php. YesWiki accepts user-defined mathematical formulas through Bazar form fields and evaluates them server-side using PHP's eval() function. To prevent injection, the code attempts to filter formula content with a complex recursive regular expression intended to allow only numeric operations.

This architecture fails for two reasons. First, regex-based sanitization for an eval sink provides no defense in depth: any logic gap in the pattern converts directly into arbitrary PHP execution. Second, the recursive regex itself exhibits catastrophic backtracking behavior, producing a ReDoS condition that exhausts stack memory.

The combined impact covers all three pillars of the [CIA] triad: confidentiality through file read, integrity through arbitrary writes, and availability through the ReDoS stack overflow.

Root Cause

The root cause is the use of eval() on attacker-influenced input combined with a denylist-style regex sanitizer. The approach assumes the regex can fully constrain the input grammar, but PHP expression syntax is rich enough that any bypass — for example, function name obfuscation or operator abuse — escapes the filter and reaches the interpreter.

Attack Vector

The attack vector is network-based and unauthenticated where Bazar forms are publicly accessible. An attacker submits a crafted formula value through a Bazar calculator field. The payload either bypasses the regex sanitizer to reach eval(), executing arbitrary PHP under the web server account, or it triggers the ReDoS path and crashes the PHP-FPM worker. No user interaction is required.

For verified technical details, refer to the GitHub Security Advisory GHSA-px5m-h76g-p7p8 and the GitHub Commit Details.

Detection Methods for CVE-2026-52778

Indicators of Compromise

POST requests to Bazar form endpoints containing PHP function names such as system, exec, passthru, shell_exec, or assert inside formula parameters
Web server worker crashes or segmentation faults correlated with requests carrying unusually long or deeply nested formula expressions
New or modified PHP files in the YesWiki webroot, particularly in cache/ or files/ directories, written by the web server user
Outbound network connections from the PHP-FPM or Apache process to unfamiliar hosts following Bazar form submissions

Detection Strategies

Inspect web access logs for Bazar form parameter values containing PHP syntax elements like backticks, dollar-sign variables, or call_user_func patterns
Monitor PHP error logs for eval() runtime errors and PCRE backtrack limit warnings referencing CalcField.php
Deploy file integrity monitoring across the YesWiki installation directory to surface unauthorized webshell drops

Monitoring Recommendations

Enable PHP log_errors and forward logs to a centralized SIEM for correlation with web traffic
Alert on web server process crashes and abnormal CPU spikes that may indicate ReDoS exploitation attempts
Track child process creation from PHP-FPM or Apache parent processes to identify post-exploitation command execution

How to Mitigate CVE-2026-52778

Immediate Actions Required

Upgrade YesWiki to version 4.6.6 or later, which removes the vulnerable evaluation path in CalcField.php
Audit existing Bazar forms for calculator field usage and review web logs for prior exploitation attempts
Restrict network access to YesWiki administrative and form-submission endpoints until patching completes

Patch Information

The fix is delivered in YesWiki release v4.6.6. The patch commit is published at GitHub Commit dd2bd8f. Administrators should apply the official upgrade rather than backport individual changes, since the advisory replaces the unsafe eval() based calculator with a safer parser.

Workarounds

Disable or remove Bazar forms that use the calculator field type until the upgrade is applied
Place YesWiki behind a web application firewall and block POST bodies containing PHP function names or non-mathematical characters in calculator parameters
Require authentication for all Bazar form submissions to limit the unauthenticated attack surface

bash

# Upgrade YesWiki to the patched release
cd /var/www/yeswiki
php tools/update/cli.php --version=4.6.6
# Verify version after upgrade
grep "'WIKINI_VERSION'" includes/constants.php