eastbaycyber

CVE-2026-52778: YesWiki Calculator Eval and ReDoS Vulnerability

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-08
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-52778
CVSS score 9.8 Critical
Attack vector Remote
Auth required Unknown from cited record; defenders should assume low-friction remote reachability if calculator features are exposed
Patch status Fixed in YesWiki 4.6.6

TL;DR - YesWiki before 4.6.6 is vulnerable in CalcField.php. - Risk includes ReDoS and possible PHP code execution. - Upgrade to 4.6.6 urgently and review calculator exposure.

What Happened and Why It Matters

CVE-2026-52778 is a critical YesWiki vulnerability in the Bazar form field calculator component, specifically CalcField.php. According to the NVD description, affected versions are YesWiki prior to 4.6.6, and the bug stems from an unsafe pattern: the application tries to sanitize user-supplied mathematical formulas with a complex recursive regular expression and then passes the resulting string to PHP’s eval().

That design has two different security outcomes, both serious. First, recursive or heavily nested input can trigger Regular Expression Denial of Service (ReDoS) or stack overflow conditions, potentially crashing the PHP process or degrading service availability. Second, if an attacker can bypass the sanitization logic, the vulnerable path can lead directly to arbitrary PHP code execution, which is why this issue carries a CVSS 9.8 severity rating in the cited record.

For defenders, the main point is not just that the regex is flawed. The more important lesson is architectural: once untrusted input is allowed anywhere near eval(), the entire safety model depends on the filter being perfect. Filters are rarely perfect, and recursive regex handling makes the failure mode worse. Even if your deployment is not internet-facing, a vulnerable internal YesWiki instance can still represent a significant risk if accessible to untrusted or semi-trusted users.

AnalystImpact · assess the risk

Affected Versions and Fixed Version

The confirmed affected range from the available source material is “YesWiki versions prior to 4.6.6.” The fixed release is YesWiki 4.6.6. The research note does not provide a narrower lower bound, so it is not accurate to claim only certain 4.x builds are exposed. In the absence of a lower bound, administrators should treat any deployed YesWiki version earlier than 4.6.6 as affected until they verify otherwise from project release history or vendor guidance.

The vulnerable component is the Bazar form field calculator in CalcField.php. If your YesWiki deployment does not use Bazar or does not expose calculator functionality, that may reduce practical exposure, but it does not change the affected version statement published in the cited vulnerability record. Security teams should avoid assuming that “unused” features are harmless unless they have verified they are disabled at the application level and not reachable through stored configuration, imported forms, or privileged content editing paths.

A practical asset inventory step is to identify both the application version and whether Bazar calculator fields are present in production content. That will help you prioritize emergency patching versus immediate containment. Still, because the fixed version is available, the primary remediation remains upgrading to 4.6.6.

Exploitation Status, PoC Status, and Defender Assumptions

At the time of the cited research, there is no confirmed evidence of exploitation in the wild. The CVE is not listed in CISA KEV (on_kev: false), which means there is no current KEV-backed confirmation of active exploitation. That said, absence from KEV is not evidence of safety. KEV is useful, but it is not comprehensive, especially early in a CVE’s lifecycle.

There is also no confirmed public PoC exploit repository in the cited NVD references. The known public references include a patch commit, a fixed release, and a GitHub security advisory. Those references are enough for defenders and researchers to understand the issue at a high level, but they do not, based on the provided material, establish a dedicated exploit PoC. So the most accurate statement is: no confirmed in-the-wild exploitation and no confirmed public PoC from the cited references.

Defenders should still treat this as urgent. Critical bugs involving eval(), especially in PHP applications, often attract rapid analysis after patch publication. Once a patch commit is public, attackers can diff the change and reverse-engineer trigger conditions. In practice, that means your safest assumption is that weaponization may follow quickly even if exploitation is not yet publicly confirmed.

Risk Analysis for Administrators and Security Teams

This vulnerability matters because it combines a likely low-effort abuse path for service disruption with a potentially much worse code execution scenario. ReDoS alone can be enough to cause application instability, elevated CPU consumption, request queueing, or repeated crashes under relatively small request volume. On smaller PHP deployments, that can translate into a real outage.

The arbitrary code execution angle raises the impact substantially. If a sanitization bypass is achievable, successful exploitation could allow execution in the web server’s PHP context. The downstream consequences depend on deployment hardening: local file reads, secret exposure, database credential theft, content tampering, web shell placement, lateral movement, or host compromise are all realistic post-exploitation concerns in a poorly segmented environment.

From a business perspective, this is not the kind of issue to leave for routine maintenance. If you operate YesWiki in support of knowledge management, public collaboration, intranet publishing, or customer-facing forms, the combination of critical severity, patch availability, and unsafe eval() architecture makes this a same-day remediation candidate.

Bottom Line

CVE-2026-52778 affects YesWiki versions prior to 4.6.6 and exposes organizations to ReDoS and possible arbitrary PHP code execution through unsafe formula handling in CalcField.php. There is no confirmed public PoC in the cited references and no KEV-listed in-the-wild exploitation at this time, but that should not slow response.

If you run YesWiki, the action is straightforward: upgrade to 4.6.6 now, review any use of Bazar calculator fields, and inspect logs for suspicious formula submissions or crash patterns.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

ResponderRunbook · act now

Detection and Triage

Detection may be difficult if your current logging does not capture form submissions or application errors in detail. The vulnerable area involves formula processing in the Bazar calculator field, so the highest-value artifacts are requests that create, edit, or submit forms containing unexpectedly complex expressions, deeply nested parentheses, or PHP-like syntax that should never appear in a normal mathematical formula.

You should review web logs, reverse proxy logs, and PHP error logs for signs of malformed or unusually large formula inputs near the time of crashes, 500 responses, or worker restarts. Because the NVD-backed material does not include exact request parameter names, avoid overfitting to one field name. Instead, look for requests touching form creation or submission endpoints combined with suspicious expression strings.

Technical Notes

Start with web and PHP logs around periods of instability:

# Apache or Nginx access logs: look for suspicious formula-like payloads
grep -RIE "(\$\{|\b(eval|system|shell_exec|assert)\b|[()]{8,}|%28%28%28%28|%24%7B)" /var/log/nginx /var/log/apache2 2>/dev/null

# PHP-FPM and PHP error logs: stack overflow, backtracking, fatal errors
grep -RIE "(stack overflow|Allowed memory size exhausted|maximum execution time|preg_|Fatal error)" /var/log/php* /var/log 2>/dev/null

Example suspicious patterns to hunt for:

POST /?Bazar or form-related endpoint ... 500
... formula=((((((((((((1))))))))))))
... formula=${phpinfo()}
... PHP Fatal error:  Allowed memory size exhausted ...
... preg_match(): Compilation failed ...
... child exited on signal 11 (SIGSEGV)

If you use a SIEM, a broad starter query can help identify likely abuse attempts without assuming a specific parameter name:

SELECT timestamp, src_ip, http_method, url, status, user_agent
FROM web_logs
WHERE status IN (500, 502, 503)
  AND (
    url LIKE '%Bazar%'
    OR request_body RLIKE '(\$\{|\b(eval|system|shell_exec|assert)\b|\({8,}|\){8,})'
  )
ORDER BY timestamp DESC;

Because exact exploit syntax is not confirmed in the cited material, defenders should use these as triage patterns, not signatures of record. The right operational assumption is that anomalous formula expressions plus application instability deserve immediate review.

Mitigation and Patching

The confirmed fix is YesWiki 4.6.6. If your deployment is running any version prior to 4.6.6, plan to upgrade immediately. Before changing production, take a backup of the application files, database, and configuration, and document whether custom plugins or local modifications touch Bazar fields. That will reduce rollback risk if your environment has drifted from the standard release.

If you cannot patch immediately, your fallback is to reduce exposure. Restrict access to YesWiki administrative and form-authoring capabilities, especially anywhere the Bazar calculator field can be defined or modified. If operationally possible, disable or remove calculator-based forms until the upgrade is complete. You should also put reverse proxy controls in front of the application to limit unusually large or suspicious form submissions and to reduce unauthenticated reachability where possible.

Technical Notes

If your YesWiki deployment was installed from source or a Git checkout, confirm the current version and upgrade to the fixed tag:

cd /var/www/yeswiki
git fetch --tags
git describe --tags
git checkout v4.6.6

If you deploy with archive releases rather than Git, download and replace the application with the official v4.6.6 release, then follow your normal maintenance process for permissions, cache clears, and service restarts. Because packaging varies, there is no single universal system package command that can be safely prescribed from the cited sources.

As an interim workaround, disable access to the calculator feature path where feasible and gate administrative access at the web tier. Example Nginx control for temporary IP restriction of administrative areas:

location / {
    # normal application traffic
}

location ~* /(admin|bazar) {
    allow 192.0.2.10;
    allow 198.51.100.0/24;
    deny all;
}

After upgrade, restart PHP and web services per your platform:

sudo systemctl restart php-fpm || sudo systemctl restart php8.2-fpm
sudo systemctl restart nginx || sudo systemctl restart apache2

If you cannot identify the exact calculator endpoints, assume the feature may still be reachable through existing forms and prioritize the full upgrade over partial filtering.

Validation After Remediation

After upgrading to YesWiki 4.6.6, verify the deployed version in the application UI or release files and confirm the running code matches the fixed release. Also test existing forms that use Bazar calculator logic to ensure business workflows still operate as expected. A rushed security patch that silently breaks production forms can lead teams to roll back, so include a short post-patch functionality check.

From a security perspective, review logs for any suspicious pre-patch activity. If you saw unexplained crashes, fatal PHP errors, or suspicious formula submissions before upgrading, treat the system as potentially compromised until proven otherwise. Because code execution is a stated possible outcome if sanitization is bypassed, look for indicators such as unexpected PHP files, changed application templates, new scheduled tasks, modified .htaccess or web server configs, and unusual outbound connections from the host.

References

Last verified: 2026-06-08

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.