CVE-2026-34598 HIGH

CVE-2026-34598: YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter"

Vendor Yeswiki

Product yeswiki

Weakness CWE-79 · XSS

Published April 2, 2026

Last update April 2, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0.

Key dates

02Disclosure timeline

April 2, 2026 CVE published

April 2, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34598 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-49433 WordPress Supermalink <= 1.1 - Cross Site Scripting (XSS) Vulnerability CVE-2025-57926 WordPress Passster Plugin <= 4.2.18 - Cross Site Scripting (XSS) Vulnerability CVE-2022-1724 Simple Membership < 4.1.1 - Reflected Cross-Site Scripting CVE-2025-12090 Employee Spotlight – Team Member Showcase & Meet the Team Plugin <= 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-4513 Campcodes Complete Web-Based School Management System timetable_update_form.php cross site scripting