# [CRIT] [GHSA / CRITICAL] CVE-2026-46670: YesWiki: Unauthenticated SQL Injection

**Source:** GitHub Security Advisories
**Published:** 2026-05-22
**Article:** https://github.com/advisories/GHSA-jwvv-qr7q-cv8j

## Threat Profile

YesWiki: Unauthenticated SQL Injection

### Summary

An unauthenticated SQL injection in the Bazar form-import path (`FormManager::create()`) allows any unauthenticated visitor of a default YesWiki install to inject arbitrary SQL into an `INSERT` statement and read the full database, including `yeswiki_users.password` hashes. Present in 4.6.1 / 4.6.2 / current `doryphore-dev`; analyzed against upstream commit `1f485c049db030b94c047ec219e63534ac81142e`.

### Details

Sink is at `FormManager::crea…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-46670`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1204.002** — User Execution: Malicious File
- **T1078** — Valid Accounts
- **T1595.002** — Vulnerability Scanning

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### YesWiki Bazar form-import volumetric POST — CVE-2026-46670 blind SQLi extraction loop

`UC_216_2` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count from datamodel=Web where Web.http_method="POST" Web.url="*BazaR*vue=formulaire*" by Web.src, Web.dest, Web.url, Web.http_user_agent, _time span=5m | `drop_dm_object_name(Web)` | where count >= 20 | sort 0 - count
```

### Non-browser User-Agent against YesWiki Bazar form-import endpoint — CVE-2026-46670 exploit tooling

`UC_216_3` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count from datamodel=Web where Web.http_method="POST" Web.url="*BazaR*vue=formulaire*" (Web.http_user_agent="*Python-urllib*" OR Web.http_user_agent="*python-requests*" OR Web.http_user_agent="*curl/*" OR Web.http_user_agent="*Go-http-client*" OR Web.http_user_agent="*Java/*" OR Web.http_user_agent="*PowerShell*" OR Web.http_user_agent="*wget*" OR Web.http_user_agent="*libwww-perl*") by Web.src, Web.dest, Web.url, Web.http_user_agent, _time | `drop_dm_object_name(Web)` | stats count, min(_time) as first_seen, max(_time) as last_seen by src, dest, http_user_agent | sort 0 - count
```

### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46670: YesWiki: Unauthenticated SQL Injection

`UC_216_1` · phase: **exploit** · confidence: **High**

**Splunk SPL (CIM):**
```spl
``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46670: YesWiki: Unauthenticated SQL Injection ```
| tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime
    from datamodel=Endpoint.Processes
    where (Processes.process_name IN ("yeswiki_sqli_poc.py"))
    by Processes.dest, Processes.user, Processes.process_name,
       Processes.process, Processes.parent_process_name, Processes.process_path
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| append [
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action IN ("created","modified")
      AND (Filesystem.file_name IN ("yeswiki_sqli_poc.py"))
    by Filesystem.dest, Filesystem.user, Filesystem.process_name,
       Filesystem.file_path, Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
]
```

**Defender KQL:**
```kql
// Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46670: YesWiki: Unauthenticated SQL Injection
// Hunts the actual binaries / paths / commandline fragments named
// in the article instead of a generic technique-class template.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where (FileName in~ ("yeswiki_sqli_poc.py"))
| project Timestamp, DeviceName, AccountName, FileName,
          FolderPath, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// File-creation events for the named binaries / paths
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType in ("FileCreated","FileModified")
| where (FileName in~ ("yeswiki_sqli_poc.py"))
| project Timestamp, DeviceName, AccountName, FolderPath,
          FileName, ActionType, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-46670`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 4 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.