Security Advisory - Published 2026-06-08 - PHP wiki

YesWiki CVE-2026-52778: CalcField RCE and DoS Self-Check

CVE-2026-52778 affects YesWiki versions before 4.6.6. The GitHub advisory points to the Bazar form field calculator in tools/bazar/fields/CalcField.php: formula validation used a complex recursive regular expression before passing data toward PHP evaluation. The risk is server crash through ReDoS and a high-risk path to code execution if validation is bypassed.

Patch target: Upgrade YesWiki to 4.6.6 or newer. The 4.6.6 release is marked as a security release.

Who is affected

  • Product: YesWiki
  • CVE: CVE-2026-52778
  • Affected versions: YesWiki 4.6.5 and earlier, according to the GitHub advisory
  • Fixed version: 4.6.6
  • Component: Bazar CalcField.php
  • Impact: denial of service and possible remote code execution path through unsafe formula handling

10-minute self-check

Step 1: Confirm your YesWiki version

composer show yeswiki/yeswiki 2>/dev/null
git describe --tags --always 2>/dev/null
grep -Rni 'yeswiki\\|version' composer.lock package.json wakka.config.php 2>/dev/null | head -40

If you cannot confirm the version and the site is internet-facing, treat it as needing an update window.

Step 2: Check whether the vulnerable component exists

test -f tools/bazar/fields/CalcField.php && echo "Bazar CalcField present"
ls -la tools/bazar/fields/CalcField.php 2>/dev/null

The file being present does not prove exploitation. It tells you the affected Bazar calculator code path exists in this install.

Step 3: Review Bazar forms that use calculated fields

  • List public forms that accept visitor-submitted entries.
  • Identify forms that use calculated fields or custom formula input.
  • Disable public submissions on risky forms until the update is complete.
  • Keep a copy of form definitions and recent submissions before cleanup.

Safe fix path

  1. Back up files and database. Save the current YesWiki code and database before updating.
  2. Upgrade to 4.6.6 or newer. Use the official YesWiki release path for your install type.
  3. Disable risky Bazar forms during the window. Do this before reopening public submissions.
  4. Review changed PHP files. Check for unexpected PHP files or edited templates in the web root.
  5. Rotate credentials if compromise is suspected. Include admin accounts, database credentials, and hosting access.

Signs that need incident review

  • Apache or NGINX logs show repeated POSTs to Bazar entry endpoints.
  • The YesWiki process crashed or restarted repeatedly before the patch.
  • Unexpected PHP files appeared near the YesWiki root, extensions, or upload paths.
  • Admin users, templates, or configuration files changed without a known maintainer action.

Ping7 repair path

Ping7 can review YesWiki version, Bazar forms, web logs, and suspicious PHP changes. Start from CVE Repair and include the site URL, YesWiki version, and whether public Bazar forms are enabled.

References