CVE-2025-46348 CRITICAL

CVE-2025-46348: YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download

Vendor Yeswiki
Product yeswiki
Weakness CWE-287 · Improper authentication
Published April 29, 2025
Last update April 30, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4.

Key dates

02Disclosure timeline

April 29, 2025 CVE published
April 30, 2025 Record updated