YesWiki SQL Injection (CVE-2026-41143) Risks Data Exposure

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
YesWiki SQL Injection (CVE-2026-41143) Risks Data Exposure

The National Vulnerability Database reports a critical SQL injection vulnerability, CVE-2026-41143, within the YesWiki bazar module. This flaw, present in versions prior to 4.6.1, allows an attacker to inject malicious SQL queries directly into the database. Specifically, the $data['id_fiche'] value, sourced from user-controlled $_POST['id_fiche'], is concatenated into a raw SQL query without proper sanitization or parameterization in tools/bazar/services/EntryManager.php at line 704.

This vulnerability carries a high CVSS score of 8.8, indicating a severe risk. An attacker with low privileges could exploit this to achieve high impact on confidentiality, integrity, and availability. The direct concatenation of unsanitized input into SQL queries is a classic CWE-89 flaw, making exploitation straightforward for adversaries.

Defenders running YesWiki installations must prioritize patching to version 4.6.1 immediately. Failure to do so leaves sensitive data exposed to exfiltration and manipulation. The attacker’s calculus here is simple: find unpatched YesWiki instances, exploit the SQLi, and gain full database access with minimal effort.

What This Means For You

  • If your organization uses YesWiki, check your version immediately. Patch to 4.6.1 without delay to remediate CVE-2026-41143. Assume any unpatched instance is actively vulnerable to data exfiltration and integrity compromise, and audit logs for unusual database activity.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

YesWiki Bazar Module SQL Injection Attempt (CVE-2026-41143)

Sigma YAML — free preview 
title: YesWiki Bazar Module SQL Injection Attempt (CVE-2026-41143)
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit the SQL injection vulnerability in the YesWiki bazar module (CVE-2026-41143). This rule specifically looks for POST requests to EntryManager.php containing the 'id_fiche' parameter, which is known to be vulnerable. It also checks for common SQL injection payloads within the query string, indicating an exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41143/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/tools/bazar/services/EntryManager.php'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'id_fiche='
  selection_payload:
      cs-uri-query|contains:
          - 'UNION SELECT'
          - 'SLEEP('
          - 'BENCHMARK('
          - '@@version'
          - 'database()'
      condition: selection AND selection_payload
  
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41143 SQLi YesWiki bazar module prior to version 4.6.1
CVE-2026-41143 SQLi YesWiki vulnerable file: tools/bazar/services/EntryManager.php
CVE-2026-41143 SQLi Vulnerable parameter: $_POST['id_fiche']

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8063 — Null Pointer Dereference

CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...

vulnerabilityCVEmedium-severitynull-pointer-dereferencecwe-476
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma

WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php

CVE-2026-7252 — The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary...

vulnerabilityCVEhigh-severityremote-code-executioncwe-22
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 5 IOCs /⚙ 3 Sigma

CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability

CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma