4.6.1
4.6.0
CVE-2026-34598 describes a stored and blind Cross-Site Scripting (XSS) vulnerability found in YesWiki's form title field. This vulnerability allows an unauthenticated attacker to inject malicious JavaScript code that is then executed when other users view the affected page. The vulnerability impacts YesWiki versions 4.5.5 and earlier, and a patch is available in version 4.6.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code into the form title field, which will be stored in the database. When any user visits the page containing the malicious title, the JavaScript payload will execute within their browser context. This can lead to various malicious actions, including session hijacking, redirection to phishing sites, defacement of the YesWiki instance, and theft of sensitive information. The blind nature of the XSS means the attacker doesn't need to see the immediate result of their injection, making it harder to detect initially.
CVE-2026-34598 was publicly disclosed on 2026-03-31. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV. The ease of exploitation, combined with the lack of authentication required, suggests a potential for exploitation if the vulnerability becomes widely known.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34598 is to upgrade YesWiki to version 4.6.0 or later, which contains the fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the form title field to prevent the injection of malicious code. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review YesWiki logs for suspicious activity, particularly related to form submissions.
Update YesWiki to version 4.6.0 or higher. This version fixes the persistent XSS vulnerability. The update can be performed through the administration panel or by downloading the latest version from the official website and replacing the files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34598 is a stored and blind XSS vulnerability in YesWiki's form title field, allowing unauthenticated attackers to inject JavaScript code.
Yes, if you are running YesWiki versions 4.5.5 or earlier, you are vulnerable to this XSS attack.
Upgrade YesWiki to version 4.6.0 or later to resolve this vulnerability. Consider input sanitization as a temporary workaround.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the YesWiki security advisories page for the latest information and updates regarding this vulnerability: [https://www.yeswiki.net/SecurityAdvisories](https://www.yeswiki.net/SecurityAdvisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.