Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/372000?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/372000?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.4.5", "type": "composer", "namespace": "yeswiki", "name": "yeswiki", "version": "4.4.5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.6.1", "latest_non_vulnerable_version": "4.6.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97065?format=api", "vulnerability_id": "VCID-1rgx-642j-6bez", "summary": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the file upload form. This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on by the victim to perform arbitrary actions. This issue has been patched in version 4.5.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46349", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00334", "scoring_system": "epss", "scoring_elements": "0.56729", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00334", "scoring_system": "epss", "scoring_elements": "0.56733", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00334", "scoring_system": "epss", "scoring_elements": "0.56744", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00358", "scoring_system": "epss", "scoring_elements": "0.58414", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46349" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://github.com/YesWiki/yeswiki/blob/6894234bbde6ab168bf4253f9a581bd24bf53766/tools/attach/libs/attach.lib.php#L724-L735", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki/blob/6894234bbde6ab168bf4253f9a581bd24bf53766/tools/attach/libs/attach.lib.php#L724-L735" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/0dac9e2fb2a5e69f13a3c9f761ecae6ed9676206", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki/commit/0dac9e2fb2a5e69f13a3c9f761ecae6ed9676206" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46349", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46349" }, { "reference_url": "https://github.com/YesWiki/yeswiki/pull/1264/commits/6edde40eb7eeb5d60619ac4d1e0a0422d92e9524", "reference_id": "6edde40eb7eeb5d60619ac4d1e0a0422d92e9524", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T18:01:18Z/" } ], "url": "https://github.com/YesWiki/yeswiki/pull/1264/commits/6edde40eb7eeb5d60619ac4d1e0a0422d92e9524" }, { "reference_url": "https://github.com/advisories/GHSA-2f8p-qqx2-gwr2", "reference_id": "GHSA-2f8p-qqx2-gwr2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2f8p-qqx2-gwr2" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-2f8p-qqx2-gwr2", "reference_id": "GHSA-2f8p-qqx2-gwr2", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T18:01:18Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-2f8p-qqx2-gwr2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376374?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-nuap-ea2h-efdd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.4" } ], "aliases": [ "CVE-2025-46349", "GHSA-2f8p-qqx2-gwr2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1rgx-642j-6bez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/105025?format=api", "vulnerability_id": "VCID-314j-emdm-t7bh", "summary": "Cross Site Scripting vulnerability in YesWiki v.4.54 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configuration robots field", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-52277", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00156", "scoring_system": "epss", "scoring_elements": "0.36395", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00156", "scoring_system": "epss", "scoring_elements": "0.36408", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00156", "scoring_system": "epss", "scoring_elements": "0.36215", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00156", "scoring_system": "epss", "scoring_elements": "0.36419", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-52277" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52277", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52277" }, { "reference_url": "https://github.com/nakkouchtarek/CVE/tree/main/CVE-2025-52277", "reference_id": "CVE-2025-52277", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-10T13:40:11Z/" } ], "url": "https://github.com/nakkouchtarek/CVE/tree/main/CVE-2025-52277" }, { "reference_url": "https://github.com/advisories/GHSA-29cj-cxw4-v4j2", "reference_id": "GHSA-29cj-cxw4-v4j2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-29cj-cxw4-v4j2" }, { "reference_url": "http://yeswiki.com", "reference_id": "yeswiki.com", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-10T13:40:11Z/" } ], "url": "http://yeswiki.com" } ], "fixed_packages": [], "aliases": [ "CVE-2025-52277", "GHSA-29cj-cxw4-v4j2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-314j-emdm-t7bh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80669?format=api", "vulnerability_id": "VCID-6e7h-385p-zbak", "summary": "YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41143", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02842", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02853", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02849", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02858", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41143" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41143", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41143" }, { "reference_url": "https://github.com/advisories/GHSA-f58v-p6j9-24c2", "reference_id": "GHSA-f58v-p6j9-24c2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f58v-p6j9-24c2" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-f58v-p6j9-24c2", "reference_id": "GHSA-f58v-p6j9-24c2", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T13:41:41Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-f58v-p6j9-24c2" }, { "reference_url": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.1", "reference_id": "v4.6.1", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T13:41:41Z/" } ], "url": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374246?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.6.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.6.1" } ], "aliases": [ "CVE-2026-41143", "GHSA-f58v-p6j9-24c2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6e7h-385p-zbak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97052?format=api", "vulnerability_id": "VCID-7pet-xetc-6khc", "summary": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46348", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00626", "scoring_system": "epss", "scoring_elements": "0.70794", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00626", "scoring_system": "epss", "scoring_elements": "0.70791", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00626", "scoring_system": "epss", "scoring_elements": "0.70691", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00626", "scoring_system": "epss", "scoring_elements": "0.70781", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46348" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46348", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46348" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/0d4efc880a727599fa4f6d7a64cc967afe475530", "reference_id": "0d4efc880a727599fa4f6d7a64cc967afe475530", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-30T13:19:31Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/0d4efc880a727599fa4f6d7a64cc967afe475530" }, { "reference_url": "https://github.com/advisories/GHSA-wc9g-6j9w-hr95", "reference_id": "GHSA-wc9g-6j9w-hr95", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wc9g-6j9w-hr95" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wc9g-6j9w-hr95", "reference_id": "GHSA-wc9g-6j9w-hr95", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-30T13:19:31Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wc9g-6j9w-hr95" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376374?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-nuap-ea2h-efdd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.4" } ], "aliases": [ "CVE-2025-46348", "GHSA-wc9g-6j9w-hr95" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7pet-xetc-6khc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97449?format=api", "vulnerability_id": "VCID-7w5f-cxmw-4kds", "summary": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment. The XSS occurs because the application fails to properly sanitize or encode user input submitted to the comments. Notably, the application sanitizes or does not allow execution of `<script>` tags, but does not account for payloads obfuscated using JavaScript block comments like `/* JavaScriptPayload */`. This issue has been patched in version 4.5.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46346", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0054", "scoring_system": "epss", "scoring_elements": "0.68169", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0054", "scoring_system": "epss", "scoring_elements": "0.68159", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0054", "scoring_system": "epss", "scoring_elements": "0.68172", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0054", "scoring_system": "epss", "scoring_elements": "0.68071", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46346" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46346", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46346" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/0d4efc880a727599fa4f6d7a64cc967afe475530", "reference_id": "0d4efc880a727599fa4f6d7a64cc967afe475530", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T17:47:34Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/0d4efc880a727599fa4f6d7a64cc967afe475530" }, { "reference_url": "https://github.com/advisories/GHSA-59x8-cvxh-3mm4", "reference_id": "GHSA-59x8-cvxh-3mm4", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-59x8-cvxh-3mm4" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-59x8-cvxh-3mm4", "reference_id": "GHSA-59x8-cvxh-3mm4", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T17:47:34Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-59x8-cvxh-3mm4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376374?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-nuap-ea2h-efdd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.4" } ], "aliases": [ "CVE-2025-46346", "GHSA-59x8-cvxh-3mm4" ], "risk_score": 2.9, "exploitability": "0.5", "weighted_severity": "5.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7w5f-cxmw-4kds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/103610?format=api", "vulnerability_id": "VCID-9tv8-d43r-dyae", "summary": "YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. This vulnerability is fixed in 4.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-31131", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.12044", "scoring_system": "epss", "scoring_elements": "0.93972", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.12044", "scoring_system": "epss", "scoring_elements": "0.93966", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.12044", "scoring_system": "epss", "scoring_elements": "0.93971", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.12044", "scoring_system": "epss", "scoring_elements": "0.93946", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-31131" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31131", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31131" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52135.txt", "reference_id": "CVE-2025-31131", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52135.txt" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/f78c915369a60c74ab8f38561ae93a4aaca9b989", "reference_id": "f78c915369a60c74ab8f38561ae93a4aaca9b989", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-01T16:09:50Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/f78c915369a60c74ab8f38561ae93a4aaca9b989" }, { "reference_url": "https://github.com/advisories/GHSA-w34w-fvp3-68xm", "reference_id": "GHSA-w34w-fvp3-68xm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w34w-fvp3-68xm" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w34w-fvp3-68xm", "reference_id": "GHSA-w34w-fvp3-68xm", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-01T16:09:50Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w34w-fvp3-68xm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376425?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1rgx-642j-6bez" }, { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-7pet-xetc-6khc" }, { "vulnerability": "VCID-7w5f-cxmw-4kds" }, { "vulnerability": "VCID-a23f-j6q6-jkfm" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-hf5e-5b9a-ykdd" }, { "vulnerability": "VCID-nuap-ea2h-efdd" }, { "vulnerability": "VCID-rusk-knae-fkae" }, { "vulnerability": "VCID-xw5r-q3tj-7kbc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.2" } ], "aliases": [ "CVE-2025-31131", "GHSA-w34w-fvp3-68xm" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9tv8-d43r-dyae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97079?format=api", "vulnerability_id": "VCID-a23f-j6q6-jkfm", "summary": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46549", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00576", "scoring_system": "epss", "scoring_elements": "0.6937", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00576", "scoring_system": "epss", "scoring_elements": "0.69367", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00781", "scoring_system": "epss", "scoring_elements": "0.74225", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01472", "scoring_system": "epss", "scoring_elements": "0.81357", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46549" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46549", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46549" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/107d43056adebaa0c731230f9fd010898e88f3f5", "reference_id": "107d43056adebaa0c731230f9fd010898e88f3f5", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T13:19:00Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/107d43056adebaa0c731230f9fd010898e88f3f5" }, { "reference_url": "https://github.com/advisories/GHSA-r9gv-qffm-xw6f", "reference_id": "GHSA-r9gv-qffm-xw6f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r9gv-qffm-xw6f" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-r9gv-qffm-xw6f", "reference_id": "GHSA-r9gv-qffm-xw6f", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T13:19:00Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-r9gv-qffm-xw6f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376374?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-nuap-ea2h-efdd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.4" } ], "aliases": [ "CVE-2025-46549", "GHSA-r9gv-qffm-xw6f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a23f-j6q6-jkfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359940?format=api", "vulnerability_id": "VCID-g1rj-vehc-3qe2", "summary": "YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities\n### Summary\n\nMultiple **reflected Cross-site Scripting (XSS)** vulnerabilities across both **authenticated and unauthenticated** portions of the application. These findings present a significant security risk, as they can be leveraged to execute arbitrary JavaScript in a victim’s browser under various contexts.\n\n## Impact and Exploitation\n\nWhile XSS is often treated as a standalone issue, these vulnerabilities have broader implications. Specifically, they can be used as **launch points to exploit other significant vulnerabilities**. \n\nProof of concept links follow. All testing was performed on my local docker setup running the lastest version of the application. \n\n## Proof of Concepts\n\n## Authenticated Reflected XSS\n\n```\nhttp://localhost:8085/?ElizabethJFeinler/deletepage&incomingurl=%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3E\n```\n\n```\nhttp://localhost:8085/?BazaR&vue=saisir&action=saisir_fiche&id=%3Cscript%3Ealert(1)%3C%2fscript%3E\n```\n\n```\nhttp://localhost:8085/?GererThemes/upload&file=%3Cscript%3Ealert(1)%3C/script%3E\n```\n\n## Unauthenticated Reflected XSS\n\n\n```\nhttp://localhost:8085/?PagePrincipale/listpages&tags=%22%3E%3Cscript%3Ealert(1)%3C/script%3E\n```\n\nIn this one, most of the parameters can be used to deliver an XSS payload, not just the template parameter. \n\n```\nhttp://localhost:8085/?BazaR/bazariframe&id=2&template=<script>alert(1)</script>&width=100%25&height=600px&lat=46.22763&lon=2.213749&markersize=big&provider=MapBox&zoom=5&groups=&titles=&groupsexpanded=false\n```\n\n### Impact\n\nThe reflected XSS vulnerabilities identified pose a significant risk to both application integrity and user safety. When combined with other issues discovered such as insecure endpoints or improper authentication mechanisms. These XSS flaws can be leveraged to escalate access, hijack sessions, and in some cases, achieve remote code execution (RCE). For example, malicious JavaScript executed via XSS could be used to trigger authenticated requests that exploit backend vulnerabilities, ultimately allowing an attacker to execute arbitrary commands on the server or pivot deeper into the environment.\n\n### Mitigation\nUpdate to version 4.6.0", "references": [ { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-5724-x3rh-5qqq", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-5724-x3rh-5qqq" }, { "reference_url": "https://github.com/advisories/GHSA-5724-x3rh-5qqq", "reference_id": "GHSA-5724-x3rh-5qqq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5724-x3rh-5qqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373956?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6e7h-385p-zbak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.6.0" } ], "aliases": [ "GHSA-5724-x3rh-5qqq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g1rj-vehc-3qe2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97208?format=api", "vulnerability_id": "VCID-hf5e-5b9a-ykdd", "summary": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46350", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52729", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52711", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52714", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52586", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46350" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46350", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46350" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/e2603176a4607b83659635a0c517550d4a171cb9", "reference_id": "e2603176a4607b83659635a0c517550d4a171cb9", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N" }, { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T18:00:32Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/e2603176a4607b83659635a0c517550d4a171cb9" }, { "reference_url": "https://github.com/advisories/GHSA-cg4f-cq8h-3ch8", "reference_id": "GHSA-cg4f-cq8h-3ch8", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cg4f-cq8h-3ch8" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8", "reference_id": "GHSA-cg4f-cq8h-3ch8", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N" }, { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T18:00:32Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376374?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-nuap-ea2h-efdd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.4" } ], "aliases": [ "CVE-2025-46350", "GHSA-cg4f-cq8h-3ch8" ], "risk_score": 1.7, "exploitability": "0.5", "weighted_severity": "3.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hf5e-5b9a-ykdd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/124453?format=api", "vulnerability_id": "VCID-ndxg-jpam-u7cv", "summary": "YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. The vulnerability makes use of the content edition feature and more specifically of the `{{attach}}` component allowing users to attach files/medias to a page. When a file is attached using the `{{attach}}` component, if the resource contained in the `file` attribute doesn't exist, then the server will generate a file upload button containing the filename. This vulnerability allows any malicious authenticated user that has the right to create a comment or edit a page to be able to steal accounts and therefore modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24018", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42375", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00276", "scoring_system": "epss", "scoring_elements": "0.51472", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00276", "scoring_system": "epss", "scoring_elements": "0.51471", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00276", "scoring_system": "epss", "scoring_elements": "0.51485", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24018" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24018", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24018" }, { "reference_url": "https://github.com/YesWiki/yeswiki/blob/v4.4.5/tools/attach/libs/attach.lib.php#L660", "reference_id": "attach.lib.php#L660", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T17:15:18Z/" } ], "url": "https://github.com/YesWiki/yeswiki/blob/v4.4.5/tools/attach/libs/attach.lib.php#L660" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/c1e28b59394957902c31c850219e4504a20db98b", "reference_id": "c1e28b59394957902c31c850219e4504a20db98b", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T17:15:18Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/c1e28b59394957902c31c850219e4504a20db98b" }, { "reference_url": "https://github.com/advisories/GHSA-w59h-3x3q-3p6j", "reference_id": "GHSA-w59h-3x3q-3p6j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w59h-3x3q-3p6j" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w59h-3x3q-3p6j", "reference_id": "GHSA-w59h-3x3q-3p6j", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T17:15:18Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w59h-3x3q-3p6j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376896?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1rgx-642j-6bez" }, { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-7pet-xetc-6khc" }, { "vulnerability": "VCID-7w5f-cxmw-4kds" }, { "vulnerability": "VCID-9tv8-d43r-dyae" }, { "vulnerability": "VCID-a23f-j6q6-jkfm" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-hf5e-5b9a-ykdd" }, { "vulnerability": "VCID-nuap-ea2h-efdd" }, { "vulnerability": "VCID-rusk-knae-fkae" }, { "vulnerability": "VCID-xw5r-q3tj-7kbc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.0" } ], "aliases": [ "CVE-2025-24018", "GHSA-w59h-3x3q-3p6j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ndxg-jpam-u7cv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75076?format=api", "vulnerability_id": "VCID-nuap-ea2h-efdd", "summary": "YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34598", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0007", "scoring_system": "epss", "scoring_elements": "0.21841", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0007", "scoring_system": "epss", "scoring_elements": "0.21827", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0007", "scoring_system": "epss", "scoring_elements": "0.21653", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0007", "scoring_system": "epss", "scoring_elements": "0.21853", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34598" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34598", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34598" }, { "reference_url": "https://github.com/advisories/GHSA-37fq-47qj-6j5j", "reference_id": "GHSA-37fq-47qj-6j5j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-37fq-47qj-6j5j" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j", "reference_id": "GHSA-37fq-47qj-6j5j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T19:09:35Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j" }, { "reference_url": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.0", "reference_id": "v4.6.0", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T19:09:35Z/" } ], "url": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373956?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6e7h-385p-zbak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.6.0" } ], "aliases": [ "CVE-2026-34598", "GHSA-37fq-47qj-6j5j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nuap-ea2h-efdd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/124314?format=api", "vulnerability_id": "VCID-phmm-d13t-fyb1", "summary": "YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem's scope. This vulnerability allows any authenticated user to arbitrarily remove content from the Wiki resulting in partial loss of data and defacement/deterioration of the website. In the context of a container installation of YesWiki without any modification, the `yeswiki` files (for example .php) are not owned by the same user (root) as the one running the FPM process (www-data). However in a standard installation, www-data may also be the owner of the PHP files, allowing a malicious user to completely cut the access to the wiki by deleting all important PHP files (like index.php or core files of YesWiki). Version 4.5.0 contains a patch for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24019", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00623", "scoring_system": "epss", "scoring_elements": "0.70715", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00623", "scoring_system": "epss", "scoring_elements": "0.70705", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00623", "scoring_system": "epss", "scoring_elements": "0.70718", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00623", "scoring_system": "epss", "scoring_elements": "0.70615", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24019" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24019", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24019" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/3ddd833d22703caf9025659eb174f7765df7147c", "reference_id": "3ddd833d22703caf9025659eb174f7765df7147c", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:57:51Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/3ddd833d22703caf9025659eb174f7765df7147c" }, { "reference_url": "https://github.com/advisories/GHSA-43c9-gw4x-pcx6", "reference_id": "GHSA-43c9-gw4x-pcx6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-43c9-gw4x-pcx6" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-43c9-gw4x-pcx6", "reference_id": "GHSA-43c9-gw4x-pcx6", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:57:51Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-43c9-gw4x-pcx6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376896?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1rgx-642j-6bez" }, { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-7pet-xetc-6khc" }, { "vulnerability": "VCID-7w5f-cxmw-4kds" }, { "vulnerability": "VCID-9tv8-d43r-dyae" }, { "vulnerability": "VCID-a23f-j6q6-jkfm" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-hf5e-5b9a-ykdd" }, { "vulnerability": "VCID-nuap-ea2h-efdd" }, { "vulnerability": "VCID-rusk-knae-fkae" }, { "vulnerability": "VCID-xw5r-q3tj-7kbc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.0" } ], "aliases": [ "CVE-2025-24019", "GHSA-43c9-gw4x-pcx6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-phmm-d13t-fyb1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/124781?format=api", "vulnerability_id": "VCID-pw5f-8aen-5fhj", "summary": "YesWiki is a wiki system written in PHP. Versions up to and including 4.4.5 are vulnerable to any end-user crafting a DOM based XSS on all of YesWiki's pages which is triggered when a user clicks on a malicious link. The vulnerability makes use of the search by tag feature. When a tag doesn't exist, the tag is reflected on the page and isn't properly sanitized on the server side which allows a malicious user to generate a link that will trigger an XSS on the client's side when clicked. This vulnerability allows any user to generate a malicious link that will trigger an account takeover when clicked, therefore allowing a user to steal other accounts, modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24017", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.5222", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00387", "scoring_system": "epss", "scoring_elements": "0.60361", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00387", "scoring_system": "epss", "scoring_elements": "0.60356", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00387", "scoring_system": "epss", "scoring_elements": "0.60367", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24017" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24017", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24017" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/c1e28b59394957902c31c850219e4504a20db98b", "reference_id": "c1e28b59394957902c31c850219e4504a20db98b", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T16:36:11Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/c1e28b59394957902c31c850219e4504a20db98b" }, { "reference_url": "https://github.com/advisories/GHSA-wphc-5f2j-jhvg", "reference_id": "GHSA-wphc-5f2j-jhvg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wphc-5f2j-jhvg" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wphc-5f2j-jhvg", "reference_id": "GHSA-wphc-5f2j-jhvg", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T16:36:11Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wphc-5f2j-jhvg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376896?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1rgx-642j-6bez" }, { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-7pet-xetc-6khc" }, { "vulnerability": "VCID-7w5f-cxmw-4kds" }, { "vulnerability": "VCID-9tv8-d43r-dyae" }, { "vulnerability": "VCID-a23f-j6q6-jkfm" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-hf5e-5b9a-ykdd" }, { "vulnerability": "VCID-nuap-ea2h-efdd" }, { "vulnerability": "VCID-rusk-knae-fkae" }, { "vulnerability": "VCID-xw5r-q3tj-7kbc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.0" } ], "aliases": [ "CVE-2025-24017", "GHSA-wphc-5f2j-jhvg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pw5f-8aen-5fhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97527?format=api", "vulnerability_id": "VCID-rusk-knae-fkae", "summary": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server, resulting in a full compromise of the server. This could potentially be performed unwittingly by a user. This issue has been patched in version 4.5.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46347", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02401", "scoring_system": "epss", "scoring_elements": "0.85455", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.02401", "scoring_system": "epss", "scoring_elements": "0.85454", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.02401", "scoring_system": "epss", "scoring_elements": "0.85463", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.02401", "scoring_system": "epss", "scoring_elements": "0.85402", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46347" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46347", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46347" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/8fe5275a78dc7e0f9c242baa3cbac6b5ac1cc066", "reference_id": "8fe5275a78dc7e0f9c242baa3cbac6b5ac1cc066", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T18:06:13Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/8fe5275a78dc7e0f9c242baa3cbac6b5ac1cc066" }, { "reference_url": "https://github.com/advisories/GHSA-88xg-v53p-fpvf", "reference_id": "GHSA-88xg-v53p-fpvf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-88xg-v53p-fpvf" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvf", "reference_id": "GHSA-88xg-v53p-fpvf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T18:06:13Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376374?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-nuap-ea2h-efdd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.4" } ], "aliases": [ "CVE-2025-46347", "GHSA-88xg-v53p-fpvf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rusk-knae-fkae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97131?format=api", "vulnerability_id": "VCID-xw5r-q3tj-7kbc", "summary": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the `/?BazaR` endpoint and `idformulaire` parameter are vulnerable to cross-site scripting. An attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46550", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67562", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.6756", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00563", "scoring_system": "epss", "scoring_elements": "0.6884", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00714", "scoring_system": "epss", "scoring_elements": "0.72871", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46550" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46550", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46550" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/4e9e51d80cd024ed2ac5c12c820817e6d8c2655a", "reference_id": "4e9e51d80cd024ed2ac5c12c820817e6d8c2655a", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T13:18:25Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/4e9e51d80cd024ed2ac5c12c820817e6d8c2655a" }, { "reference_url": "https://github.com/advisories/GHSA-ggqx-43h2-55jp", "reference_id": "GHSA-ggqx-43h2-55jp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ggqx-43h2-55jp" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-ggqx-43h2-55jp", "reference_id": "GHSA-ggqx-43h2-55jp", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T13:18:25Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-ggqx-43h2-55jp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376374?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-nuap-ea2h-efdd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.5.4" } ], "aliases": [ "CVE-2025-46550", "GHSA-ggqx-43h2-55jp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xw5r-q3tj-7kbc" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35049?format=api", "vulnerability_id": "VCID-cbfr-ybpa-u3f4", "summary": "YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-51478", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36444", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36458", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36264", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.3647", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-51478" }, { "reference_url": "https://github.com/YesWiki/yeswiki", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YesWiki/yeswiki" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51478", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51478" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc", "reference_id": "b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-31T16:50:17Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc" }, { "reference_url": "https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7", "reference_id": "e1285709f6f6a2277bd0075acf369f33cefd78f7", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-31T16:50:17Z/" } ], "url": "https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7" }, { "reference_url": "https://github.com/advisories/GHSA-4fvx-h823-38v3", "reference_id": "GHSA-4fvx-h823-38v3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4fvx-h823-38v3" }, { "reference_url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3", "reference_id": "GHSA-4fvx-h823-38v3", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-31T16:50:17Z/" } ], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372000?format=api", "purl": "pkg:composer/yeswiki/yeswiki@4.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1rgx-642j-6bez" }, { "vulnerability": "VCID-314j-emdm-t7bh" }, { "vulnerability": "VCID-6e7h-385p-zbak" }, { "vulnerability": "VCID-7pet-xetc-6khc" }, { "vulnerability": "VCID-7w5f-cxmw-4kds" }, { "vulnerability": "VCID-9tv8-d43r-dyae" }, { "vulnerability": "VCID-a23f-j6q6-jkfm" }, { "vulnerability": "VCID-g1rj-vehc-3qe2" }, { "vulnerability": "VCID-hf5e-5b9a-ykdd" }, { "vulnerability": "VCID-ndxg-jpam-u7cv" }, { "vulnerability": "VCID-nuap-ea2h-efdd" }, { "vulnerability": "VCID-phmm-d13t-fyb1" }, { "vulnerability": "VCID-pw5f-8aen-5fhj" }, { "vulnerability": "VCID-rusk-knae-fkae" }, { "vulnerability": "VCID-xw5r-q3tj-7kbc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.4.5" } ], "aliases": [ "CVE-2024-51478", "GHSA-4fvx-h823-38v3" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "8.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cbfr-ybpa-u3f4" } ], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yeswiki/yeswiki@4.4.5" }