CVE-2026-52778: Unauthenticated Remote Code Execution and ReDoS in YesWiki Bazar Formula Calculator
Vulnerability ID: CVE-2026-52778
CVSS Score: 9.8
Published: 2026-07-09
An unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki prior to version 4.6.6. The application attempts to validate mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This design leads to both Regular Expression Denial of Service (ReDoS) and Remote Code Execution (RCE) via validation bypass.
TL;DR
Unsafe eval() in YesWiki Bazar Formula Calculator allows unauthenticated remote code execution and denial of service via regex stack overflow. Patched in 4.6.6.
Technical Details
- CWE ID: CWE-94 / CWE-1333
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- CVSS v3.1: 9.8 (Critical)
- Exploit Status: None / Theoretical
- CISA KEV Status: Not Listed
Affected Systems
- YesWiki < 4.6.6
-
yeswiki: < 4.6.6 (Fixed in:
4.6.6)
Code Analysis
Commit: dd2bd8f
Secure Bazar formula calculations by using custom safe lexer/parser instead of eval
--- tools/bazar/fields/CalcField.php
+++ tools/bazar/fields/CalcField.php
@@ -13,11 +13,27 @@ class CalcField extends BazarField
{
protected const FIELD_DISPLAY_TEXT = 4;
protected const FIELD_CALCFORMULA = 5;
+
+ private const ALLOWED_FUNCTIONS = [
+ 'sin' => 'sin', 'sinh' => 'sinh',
+ 'cos' => 'cos', 'cosh' => 'cosh',
+ 'tan' => 'tan', 'tanh' => 'tanh',
+ 'asin' => 'asin', 'asinh' => 'asinh',
+ 'acos' => 'acos', 'acosh' => 'acosh',
+ 'atan' => 'atan', 'atanh' => 'atanh',
+ 'abs' => 'abs', 'exp' => 'exp', 'log10' => 'log10',
+ 'deg2rad' => 'deg2rad', 'rad2deg' => 'rad2deg',
+ 'sqrt' => 'sqrt', 'ceil' => 'ceil', 'floor' => 'floor', 'round' => 'round',
+ ];
+
Mitigation Strategies
- Upgrade to YesWiki version 4.6.6 or newer.
- Disable or restrict Bazar form calculator fields if immediate patching is not possible.
- Deploy Web Application Firewall (WAF) rules to detect and drop requests containing deeply nested parenthesis patterns in formula fields.
Remediation Steps:
- Identify all active YesWiki installations and determine their current version.
- Download the updated release files for version 4.6.6 or apply the patch commit to tools/bazar/fields/CalcField.php.
- Verify the fix by ensuring that eval() is no longer invoked inside CalcField.php.
- Configure hard limits for pcre.recursion_limit and pcre.backtrack_limit in the system's php.ini configuration file.
References
- GHSA-px5m-h76g-p7p8: Unsafe eval() in Bazar Formula Calculator (YesWiki)
- Official Fix Commit
- YesWiki Release v4.6.6
- NVD CVE-2026-52778 Detail
- CVE.org Entry
Read the full report for CVE-2026-52778 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)