CVE-2026-41143

EUVD-2026-28312
YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
yeswikiyeswiki
𝑥
< 4.6.1
CNA
Common Weakness Enumeration
References
https://github.com/YesWiki/yeswiki/releases/tag/v4.6.1
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-f58v-p6j9-24c2
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-f58v-p6j9-24c2