CVE-2025-46349

HIGH NUCLEI

YesWiki <4.5.4 - XSS

Title source: llm

Description

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the file upload form. This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on by the victim to perform arbitrary actions. This issue has been patched in version 4.5.4.

Nuclei Templates (1)

YesWiki Reflected XSS via File Upload

HIGHby Mahmoud Gamal

Shodan: html:"yeswiki"

FOFA: body="yeswiki"

References (2)

[Patch] https://github.com/YesWiki/yeswiki/pull/1264/commits/6edde40eb7eeb5d60619ac4d1e0a0422d92e9524

[Exploit, Vendor Advisory] https://github.com/YesWiki/yeswiki/security/advisories/GHSA-2f8p-qqx2-gwr2

Scores

CVSS v3 7.6

EPSS 0.0054

EPSS Percentile 67.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Details

CWE

CWE-79

Status published

Products (2)

yeswiki/yeswiki < 4.5.4

yeswiki/yeswiki 0Packagist

Published Apr 29, 2025

Tracked Since Feb 18, 2026