cbcvebase.
CVE-2025-31131
published 2025-04-01

CVE-2025-31131: YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the…

PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
5.40%
91.7th percentile
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. This vulnerability is fixed in 4.5.2.

Affected

2 ranges
VendorProductVersion rangeFixed in
yeswikiyeswiki< 4.5.24.5.2
yeswikiyeswiki>= 0 < 4.5.24.5.2

Detection & IOCsextracted from sources · hover to see the quote

url/?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&style=margot.css
othersquelette=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
  • Detect path traversal exploitation attempts against YesWiki via the 'squelette' GET parameter containing URL-encoded directory traversal sequences (..%2f).
  • HTTP response header 'YesWiki-main' is present on vulnerable YesWiki instances and can be used as a fingerprint to confirm target applicability.
  • Shodan query 'html:"yeswiki"' can be used to identify internet-exposed YesWiki instances potentially vulnerable to this CVE.
  • Successful exploitation returns /etc/passwd content in the HTTP response body; monitor for the regex pattern 'root:.*:0:0:' in responses to requests containing the squelette traversal payload.
  • The vulnerability is unauthenticated (PR:N, UI:N per CVSS), so no session or credentials are required — any request with a traversal squelette parameter should be treated as suspicious.
  • ·The vulnerability is fixed in YesWiki version 4.5.2; instances running versions prior to 4.5.2 are affected. Version detection should be part of triage.
  • ·The Nuclei template uses a single HTTP request (max-request: 1), meaning detection is lightweight but relies on both the YesWiki-main response header AND the passwd regex match being present simultaneously.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.