Cyber Resilience

CVE-2025-46347

MediumPublic PoC

Published: 29 April 2025

Published
29 April 2025
Modified
09 May 2025
KEV Added
Patch
CVSS Score v4 5.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0240 85.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46347 is a medium-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Yeswiki Yeswiki. Its CVSS base score is 5.8 (Medium).

Operationally, ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

YesWiki, a PHP-based wiki system, is affected by a remote code execution vulnerability in versions prior to 4.5.4. The flaw stems from an arbitrary file write primitive that permits an attacker to create a file with a .php extension; once written, the file can be accessed via the web server to execute arbitrary code, resulting in full server compromise. The issue is tracked under CWE-116 and carries a CVSS 4.0 score of 5.8.

An attacker can exploit the weakness by supplying crafted input that triggers the file-write operation, after which browsing to the newly created PHP file achieves code execution. The description notes that this sequence could occur unwittingly through actions taken by a legitimate user, and the attack requires no special privileges beyond the ability to reach the vulnerable write functionality.

The project has released version 4.5.4 to address the issue, with the fix documented in commit 8fe5275a78dc7e0f9c242baa3cbac6b5ac1cc066 and detailed in GitHub Security Advisories GHSA-88xg-v53p-fpvf.

EPSS for the CVE rose from lower values to a peak of 0.0539 on 2026-06-08 before receding to the current 0.0240, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in…

more

order to execute arbitrary code on the server, resulting in a full compromise of the server. This could potentially be performed unwittingly by a user. This issue has been patched in version 4.5.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

yeswiki
yeswiki
≤ 4.5.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-116

Validating that output matches expected content directly mitigates failures to properly encode or escape data for its destination context.

References