{"uuid": "3fd057e2-ef72-4bf7-aa01-dd85d1e7fdcf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-52778", "type": "seen", "source": "https://gist.github.com/alon710/7957cb9c4dd6636892863390d2a98c29", "content": "# CVE-2026-52778: CVE-2026-52778: Unauthenticated Remote Code Execution and ReDoS in YesWiki Bazar Formula Calculator\n\n&gt; **CVSS Score:** 9.8\n&gt; **Published:** 2026-07-09\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-52778\n\n## Summary\nAn unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki prior to version 4.6.6. The application attempts to validate mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This design leads to both Regular Expression Denial of Service (ReDoS) and Remote Code Execution (RCE) via validation bypass.\n\n## TL;DR\nUnsafe eval() in YesWiki Bazar Formula Calculator allows unauthenticated remote code execution and denial of service via regex stack overflow. Patched in 4.6.6.\n\n## Technical Details\n\n- **CWE ID**: CWE-94 / CWE-1333\n- **Attack Vector**: Network\n- **Attack Complexity**: Low\n- **Privileges Required**: None\n- **User Interaction**: None\n- **CVSS v3.1**: 9.8 (Critical)\n- **Exploit Status**: None / Theoretical\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- YesWiki &lt; 4.6.6\n- **yeswiki**: &lt; 4.6.6 (Fixed in: `4.6.6`)\n\n## Mitigation\n\n- Upgrade to YesWiki version 4.6.6 or newer.\n- Disable or restrict Bazar form calculator fields if immediate patching is not possible.\n- Deploy Web Application Firewall (WAF) rules to detect and drop requests containing deeply nested parenthesis patterns in formula fields.\n\n**Remediation Steps:**\n1. Identify all active YesWiki installations and determine their current version.\n2. Download the updated release files for version 4.6.6 or apply the patch commit to tools/bazar/fields/CalcField.php.\n3. Verify the fix by ensuring that eval() is no longer invoked inside CalcField.php.\n4. Configure hard limits for pcre.recursion_limit and pcre.backtrack_limit in the system's php.ini configuration file.\n\n## References\n\n- [GHSA-px5m-h76g-p7p8: Unsafe eval() in Bazar Formula Calculator (YesWiki)](https://github.com/YesWiki/yeswiki/security/advisories/GHSA-px5m-h76g-p7p8)\n- [Official Fix Commit](https://github.com/YesWiki/yeswiki/commit/dd2bd8fb099de0d21504bda8a810693b3fcb8e52)\n- [YesWiki Release v4.6.6](https://github.com/YesWiki/yeswiki/releases/tag/v4.6.6)\n- [NVD CVE-2026-52778 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-52778)\n- [CVE.org Entry](https://www.cve.org/CVERecord?id=CVE-2026-52778)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-52778) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-09T22:12:01.772859Z"}