{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34598", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T17:15:52.499Z", "datePublished": "2026-04-02T17:37:37.386Z", "dateUpdated": "2026-04-02T19:09:44.401Z"}, "containers": {"cna": {"title": "YesWiki has Persistant Blind XSS at \"/?BazaR&vue=consulter\"", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-87", "lang": "en", "description": "CWE-87: Improper Neutralization of Alternate XSS Syntax", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j"}, {"name": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.0"}], "affected": [{"vendor": "YesWiki", "product": "yeswiki", "versions": [{"version": "< 4.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:37:37.386Z"}, "descriptions": [{"lang": "en", "value": "YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0."}], "source": {"advisory": "GHSA-37fq-47qj-6j5j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T19:09:35.821184Z", "id": "CVE-2026-34598", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T19:09:44.401Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34598", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T19:09:35.821184Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T19:09:40.742Z"}}], "cna": {"title": "YesWiki has Persistant Blind XSS at \"/?BazaR&vue=consulter\"", "source": {"advisory": "GHSA-37fq-47qj-6j5j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "YesWiki", "product": "yeswiki", "versions": [{"status": "affected", "version": "< 4.6.0"}]}], "references": [{"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j", "name": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.0", "name": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-87", "description": "CWE-87: Improper Neutralization of Alternate XSS Syntax"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:37:37.386Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34598", "state": "PUBLISHED", "dateUpdated": "2026-04-02T19:09:44.401Z", "dateReserved": "2026-03-30T17:15:52.499Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:37:37.386Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0."}], "id": "CVE-2026-34598", "lastModified": "2026-04-02T18:16:31.740", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:31.740", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-87"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "yeswiki", "source": "cna", "vendor": "YesWiki"}, "product": "yeswiki", "vendor": "yeswiki"}], "analysis": {"en": {"generated_at": "2026-04-02T22:29:07.569830+00:00", "value": {"mitigation_remediation": ["Upgrade YesWiki to version 4.6.0 or later"], "summary": {"action": "Apply Patch", "impact": "Stored Blind Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "YesWiki systems running any release prior to version 4.6.0 are affected. Users of the \"yeswiki\" product should verify their deployment version and identify legacy installations that have not applied the latest update.", "description_and_impact": "A stored blind XSS vulnerability exists in the form title field of YesWiki. An attacker can inject JavaScript into the title that is saved unfiltered in the database. When any user browses the affected page, the payload runs in the victim\u2019s browser, potentially allowing session hijacking, data theft, or other malicious actions. This weakness is categorized as a cross\u2011site scripting attack that bypasses basic input sanitization.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity level. The vulnerability is exploitable without authentication and only requires a user to visit a crafted page. Because the exploit path is straightforward\u2014injecting code via the title field\u2014an attacker with access to the form or the ability to insert a malicious title can compromise any subsequent visitor. There is no EPSS data or KEV listing, but the ease of exploitation and the lack of mitigation in older releases make this a significant risk."}}}}, "created": "2026-04-03T07:32:12.072952+00:00", "updated": "2026-04-03T09:17:15.421661+00:00", "vendors": ["yeswiki", "yeswiki$PRODUCT$yeswiki"]}