DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-52778: CVE-2026-52778: Unauthenticated Remote Code Execution and ReDoS in YesWiki Bazar Formula Calculator

CVE-2026-52778: Unauthenticated Remote Code Execution and ReDoS in YesWiki Bazar Formula Calculator

Vulnerability ID: CVE-2026-52778
CVSS Score: 9.8
Published: 2026-07-09

An unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki prior to version 4.6.6. The application attempts to validate mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This design leads to both Regular Expression Denial of Service (ReDoS) and Remote Code Execution (RCE) via validation bypass.

TL;DR

Unsafe eval() in YesWiki Bazar Formula Calculator allows unauthenticated remote code execution and denial of service via regex stack overflow. Patched in 4.6.6.


Technical Details

  • CWE ID: CWE-94 / CWE-1333
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • CVSS v3.1: 9.8 (Critical)
  • Exploit Status: None / Theoretical
  • CISA KEV Status: Not Listed

Affected Systems

  • YesWiki < 4.6.6
  • yeswiki: < 4.6.6 (Fixed in: 4.6.6)

Code Analysis

Commit: dd2bd8f

Secure Bazar formula calculations by using custom safe lexer/parser instead of eval

--- tools/bazar/fields/CalcField.php
+++ tools/bazar/fields/CalcField.php
@@ -13,11 +13,27 @@ class CalcField extends BazarField
 {
     protected const FIELD_DISPLAY_TEXT = 4;
     protected const FIELD_CALCFORMULA = 5;
+
+    private const ALLOWED_FUNCTIONS = [
+        'sin' => 'sin', 'sinh' => 'sinh',
+        'cos' => 'cos', 'cosh' => 'cosh',
+        'tan' => 'tan', 'tanh' => 'tanh',
+        'asin' => 'asin', 'asinh' => 'asinh',
+        'acos' => 'acos', 'acosh' => 'acosh',
+        'atan' => 'atan', 'atanh' => 'atanh',
+        'abs' => 'abs', 'exp' => 'exp', 'log10' => 'log10',
+        'deg2rad' => 'deg2rad', 'rad2deg' => 'rad2deg',
+        'sqrt' => 'sqrt', 'ceil' => 'ceil', 'floor' => 'floor', 'round' => 'round',
+    ];
+
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade to YesWiki version 4.6.6 or newer.
  • Disable or restrict Bazar form calculator fields if immediate patching is not possible.
  • Deploy Web Application Firewall (WAF) rules to detect and drop requests containing deeply nested parenthesis patterns in formula fields.

Remediation Steps:

  1. Identify all active YesWiki installations and determine their current version.
  2. Download the updated release files for version 4.6.6 or apply the patch commit to tools/bazar/fields/CalcField.php.
  3. Verify the fix by ensuring that eval() is no longer invoked inside CalcField.php.
  4. Configure hard limits for pcre.recursion_limit and pcre.backtrack_limit in the system's php.ini configuration file.

References


Read the full report for CVE-2026-52778 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)