Search

Find a vulnerability

Search criteria

    456 vulnerabilities found for xwiki-platform by xwiki

    CVE-2026-33137 (GCVE-0-2026-33137)

    Vulnerability from nvd – Published: 2026-05-20 18:59 – Updated: 2026-05-26 18:20
    VLAI
    Title
    XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 15.10.6, < 16.10.17
    Affected: >= 17.0.0-rc-1, < 17.4.9
    Affected: >= 17.5.0, < 17.10.3
    Affected: >= 18.0.0-rc-1, < 18.1.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33137",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:24:33.961502Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:26:33.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 15.10.6, \u003c 16.10.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c 17.10.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0-rc-1, \u003c 18.1.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T18:20:49.991Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23953",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23953"
            }
          ],
          "source": {
            "advisory": "GHSA-qrvh-r3f2-9h4r",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33137",
        "datePublished": "2026-05-20T18:59:17.819Z",
        "dateReserved": "2026-03-17T20:35:49.929Z",
        "dateUpdated": "2026-05-26T18:20:49.991Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40105 (GCVE-0-2026-40105)

    Vulnerability from nvd – Published: 2026-04-15 00:07 – Updated: 2026-04-15 16:13
    VLAI
    Title
    XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 10.4-rc-1, < 16.10.16
    Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40105",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T14:02:32.181983Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T16:13:48.450Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 10.4-rc-1, \u003c 16.10.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through  16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user\u0027s browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T00:07:23.150Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23472",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23472"
            }
          ],
          "source": {
            "advisory": "GHSA-w4fj-87j5-f25c",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40105",
        "datePublished": "2026-04-15T00:07:23.150Z",
        "dateReserved": "2026-04-09T01:41:38.536Z",
        "dateUpdated": "2026-04-15T16:13:48.450Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33229 (GCVE-0-2026-33229)

    Vulnerability from nvd – Published: 2026-04-08 14:53 – Updated: 2026-04-10 20:33
    VLAI
    Title
    XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    org.xwiki.platform xwiki-platform-legacy-oldcore Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    org.xwiki.platform xwiki-platform-oldcore Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33229",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T20:32:55.827011Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T20:33:15.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "xwiki-platform-legacy-oldcore",
              "vendor": "org.xwiki.platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "xwiki-platform-oldcore",
              "vendor": "org.xwiki.platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don\u0027t recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T14:53:35.977Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23698",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23698"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23702",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23702"
            }
          ],
          "source": {
            "advisory": "GHSA-h259-74h5-4rh9",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33229",
        "datePublished": "2026-04-08T14:53:35.977Z",
        "dateReserved": "2026-03-18T02:42:27.507Z",
        "dateUpdated": "2026-04-10T20:33:15.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-26000 (GCVE-0-2026-26000)

    Vulnerability from nvd – Published: 2026-02-12 20:30 – Updated: 2026-02-12 20:54
    VLAI
    Title
    XWiki Platform affected by click-jacking through CSS injection in comments
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
    Assigner
    References
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 17.5.0, < 17.9.0
    Affected: >= 17.0.0-rc-1, < 17.4.6
    Affected: < 16.10.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-26000",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T20:54:20.382398Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T20:54:45.754Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c  17.9.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.10.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it\u0027s possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T20:30:07.263Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.6"
            }
          ],
          "source": {
            "advisory": "GHSA-74rh-c5rh-88vg",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform affected by click-jacking through CSS injection in comments"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-26000",
        "datePublished": "2026-02-12T20:30:07.263Z",
        "dateReserved": "2026-02-09T17:41:55.859Z",
        "dateUpdated": "2026-02-12T20:54:45.754Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24128 (GCVE-0-2026-24128)

    Vulnerability from nvd – Published: 2026-01-23 23:18 – Updated: 2026-01-26 17:12
    VLAI
    Title
    XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 7.0-milestone-2, < 16.10.12
    Affected: >= 17.0.0-rc-1, < 17.4.5
    Affected: >= 17.5.0-rc-1, < 17.8.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24128",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T17:12:38.601796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T17:12:52.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.0-milestone-2, \u003c 16.10.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.8.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-23T23:18:31.366Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23462",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23462"
            }
          ],
          "source": {
            "advisory": "GHSA-wvqx-m5px-6cmp",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24128",
        "datePublished": "2026-01-23T23:18:31.366Z",
        "dateReserved": "2026-01-21T18:38:22.473Z",
        "dateUpdated": "2026-01-26T17:12:52.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66473 (GCVE-0-2025-66473)

    Vulnerability from nvd – Published: 2025-12-10 21:51 – Updated: 2025-12-11 15:39
    VLAI
    Title
    XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis
    Summary
    XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: < 16.10.11
    Affected: >= 17.0.0-rc-1, < 17.4.4
    Affected: >= 17.5.0-rc-1, < 17.7.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66473",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:39:41.356268Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:39:53.549Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XWIKI-23355"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.10.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.7.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn\u0027t enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:51:55.836Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23355",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23355"
            }
          ],
          "source": {
            "advisory": "GHSA-cc84-q3v3-mhgf",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki\u0027s REST APIs don\u0027t enforce any limits, leading to unavailability and OOM in large wikis"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66473",
        "datePublished": "2025-12-10T21:51:55.836Z",
        "dateReserved": "2025-12-02T16:23:01.097Z",
        "dateUpdated": "2025-12-11T15:39:53.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66472 (GCVE-0-2025-66472)

    Vulnerability from nvd – Published: 2025-12-10 21:34 – Updated: 2025-12-11 15:40
    VLAI
    Title
    XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the "No" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 6.2-milestone-1, < 16.10.10
    Affected: org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 17.0.0-rc-1, < 17.4.2
    Affected: org.xwiki.platform:xwiki-platform-web-templates >= 6.2-milestone-1, < 16.10.10
    Affected: org.xwiki.platform:xwiki-platform-web-templates >= 17.0.0-rc-1, < 17.4.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:40:26.291295Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:40:38.484Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources \u003e= 6.2-milestone-1, \u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources \u003e= 17.0.0-rc-1, \u003c 17.4.2"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-web-templates \u003e= 6.2-milestone-1, \u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-web-templates \u003e= 17.0.0-rc-1, \u003c 17.4.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through  17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the \"No\" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:34:47.460Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23244",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23244"
            }
          ],
          "source": {
            "advisory": "GHSA-7vpr-jm38-wr7w",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66472",
        "datePublished": "2025-12-10T21:34:47.460Z",
        "dateReserved": "2025-12-02T15:43:16.586Z",
        "dateUpdated": "2025-12-11T15:40:38.484Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55749 (GCVE-0-2025-55749)

    Vulnerability from nvd – Published: 2025-12-01 20:09 – Updated: 2025-12-01 20:34
    VLAI
    Title
    The XWiki Jetty package (XJetty) allows accessing any application file through URL
    Summary
    XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 16.7.0, < 16.10.11
    Affected: >= 17.0.0-rc1, < 17.4.4
    Affected: >= 17.5.0, < 17.7.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55749",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-01T20:34:46.305442Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-01T20:34:50.797Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 16.7.0, \u003c 16.10.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc1, \u003c 17.4.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c 17.7.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-01T20:09:46.410Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23438",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23438"
            }
          ],
          "source": {
            "advisory": "GHSA-53gx-j3p6-2rw9",
            "discovery": "UNKNOWN"
          },
          "title": "The XWiki Jetty package (XJetty) allows accessing any application file through URL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-55749",
        "datePublished": "2025-12-01T20:09:46.410Z",
        "dateReserved": "2025-08-14T22:31:17.685Z",
        "dateUpdated": "2025-12-01T20:34:50.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-52472 (GCVE-0-2025-52472)

    Vulnerability from nvd – Published: 2025-10-06 14:53 – Updated: 2025-10-06 15:13
    VLAI
    Title
    XWiki Platform vulnerable to HQL injection via wiki and space search REST API
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it's not that easy to exploit. The part of the query between the two fields can be enclosed in single quotes to effectively remove them, but the query still needs to remain valid with the query two times in it. This has been patched in versions 17.5.0, 17.4.2, and 16.10.9. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 4.3-milestone-1, < 16.10.9
    Affected: >= 17.0.0-rc-1, < 17.4.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-52472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-06T15:13:19.573291Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-06T15:13:42.161Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.3-milestone-1, \u003c 16.10.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it\u0027s not that easy to exploit. The part of the query between the two fields can be enclosed in single quotes to effectively remove them, but the query still needs to remain valid with the query two times in it. This has been patched in versions 17.5.0, 17.4.2, and 16.10.9. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-06T14:53:46.654Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gprp-h92g-gc2h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gprp-h92g-gc2h"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/743ebf8696ffa55161ed2c5ecf26b09f69e6bcf1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/743ebf8696ffa55161ed2c5ecf26b09f69e6bcf1"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/a45eca2af772abb7324e56d7fd2df1ac937bc445",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/a45eca2af772abb7324e56d7fd2df1ac937bc445"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23247",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23247"
            }
          ],
          "source": {
            "advisory": "GHSA-gprp-h92g-gc2h",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform vulnerable to HQL injection via wiki and space search REST API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-52472",
        "datePublished": "2025-10-06T14:53:46.654Z",
        "dateReserved": "2025-06-17T02:28:39.716Z",
        "dateUpdated": "2025-10-06T15:13:42.161Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-55748 (GCVE-0-2025-55748)

    Vulnerability from nvd – Published: 2025-09-03 20:19 – Updated: 2025-09-03 20:47
    VLAI
    Title
    XWiki Platform's configuration files can be accessed through jsx and sx endpoints
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 4.2-milestone-2, < 16.10.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55748",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T20:47:42.905524Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T20:47:51.121Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2-milestone-2, \u003c 16.10.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It\u0027s possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg\u0026minify=false`. This is fixed in version 16.10.7."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T20:19:45.501Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23109",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23109"
            }
          ],
          "source": {
            "advisory": "GHSA-m63c-3rmg-r2cf",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform\u0027s configuration files can be accessed through jsx and sx endpoints"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-55748",
        "datePublished": "2025-09-03T20:19:45.501Z",
        "dateReserved": "2025-08-14T22:31:17.685Z",
        "dateUpdated": "2025-09-03T20:47:51.121Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-55747 (GCVE-0-2025-55747)

    Vulnerability from nvd – Published: 2025-09-03 20:12 – Updated: 2025-09-03 20:48
    VLAI
    Title
    XWiki Platform's configuration files can be accessed through the webjars API
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 6.1-milestone-2, < 16.10.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55747",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T20:48:20.232200Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T20:48:27.579Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1-milestone-2, \u003c 16.10.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions  6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T20:17:27.940Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-19350",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-19350"
            }
          ],
          "source": {
            "advisory": "GHSA-qww7-89xh-x7m7",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform\u0027s configuration files can be accessed through the webjars API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-55747",
        "datePublished": "2025-09-03T20:12:12.978Z",
        "dateReserved": "2025-08-14T22:31:17.685Z",
        "dateUpdated": "2025-09-03T20:48:27.579Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-58049 (GCVE-0-2025-58049)

    Vulnerability from nvd – Published: 2025-08-28 17:43 – Updated: 2025-08-28 18:15
    VLAI
    Title
    XWiki PDF export jobs store sensitive cookies unencrypted in job statuses
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
    • CWE-257 - Storing Passwords in a Recoverable Format
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 14.4.2, < 16.4.8
    Affected: >= 16.5.0-rc-1, < 16.10.7
    Affected: >= 17.0.0-rc-1, < 17.4.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58049",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-28T18:15:42.371947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-28T18:15:47.326Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 14.4.2, \u003c 16.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn\u0027t store passwords in plain text, and it shouldn\u0027t be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-212",
                  "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-257",
                  "description": "CWE-257: Storing Passwords in a Recoverable Format",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-28T17:43:39.779Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23151",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23151"
            }
          ],
          "source": {
            "advisory": "GHSA-9m7c-m33f-3429",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki PDF export jobs store sensitive cookies unencrypted in job statuses"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-58049",
        "datePublished": "2025-08-28T17:43:39.779Z",
        "dateReserved": "2025-08-22T14:30:32.221Z",
        "dateUpdated": "2025-08-28T18:15:47.326Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54125 (GCVE-0-2025-54125)

    Vulnerability from nvd – Published: 2025-08-05 23:30 – Updated: 2025-08-06 20:29
    VLAI
    Title
    XWiki Platform: Password and email exposure in xml.vm fields
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 1.1, < 16.4.7
    Affected: >= 16.5.0-rc-1, < 16.10.5
    Affected: >= 17.0.0-rc-1, < 17.2.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54125",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-06T20:28:50.779888Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-06T20:29:03.491Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XWIKI-22810"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.1, \u003c 16.4.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.2.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren\u0027t named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn\u0027t needed. There isn\u0027t any feature in XWiki itself that depends on the XML export."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-05T23:30:38.963Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-22810",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-22810"
            }
          ],
          "source": {
            "advisory": "GHSA-57q2-6cp4-9mq3",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform: Password and email exposure in xml.vm fields"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54125",
        "datePublished": "2025-08-05T23:30:38.963Z",
        "dateReserved": "2025-07-16T23:53:40.509Z",
        "dateUpdated": "2025-08-06T20:29:03.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54124 (GCVE-0-2025-54124)

    Vulnerability from nvd – Published: 2025-08-05 23:28 – Updated: 2025-08-06 20:28
    VLAI
    Title
    XWiki Platform: Any user with editing rights can access password properties through Database List Properties
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 9.8-rc-1, < 16.4.7
    Affected: >= 16.5.0-rc-1, < 16.10.5
    Affected: >= 17.0.0-rc-1, < 17.2.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54124",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-06T20:27:54.134605Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-06T20:28:10.785Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XWIKI-22811"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.8-rc-1, \u003c 16.4.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.2.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-05T23:28:07.166Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-22811",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-22811"
            }
          ],
          "source": {
            "advisory": "GHSA-r38m-cgpg-qj69",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform: Any user with editing rights can access password properties through Database List Properties"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54124",
        "datePublished": "2025-08-05T23:28:07.166Z",
        "dateReserved": "2025-07-16T23:53:40.509Z",
        "dateUpdated": "2025-08-06T20:28:10.785Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32430 (GCVE-0-2025-32430)

    Vulnerability from nvd – Published: 2025-08-05 23:27 – Updated: 2025-08-06 20:27
    VLAI
    Title
    XWiki Platform contains Reflected XSS vulnerability in two templates
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 4.2-milestone-3, < 16.4.8
    Affected: >= 16.5.0-rc-1, < 16.10.6
    Affected: >= 17.0.0-rc-1, < 17.3.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32430",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-06T20:26:53.478745Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-06T20:27:07.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2-milestone-3, \u003c 16.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.3.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim\u0027s session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-05T23:27:07.471Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23096",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23096"
            }
          ],
          "source": {
            "advisory": "GHSA-m9x4-w7p9-mxhx",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform contains Reflected XSS vulnerability in two templates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-32430",
        "datePublished": "2025-08-05T23:27:07.471Z",
        "dateReserved": "2025-04-08T10:54:58.367Z",
        "dateUpdated": "2025-08-06T20:27:07.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-33137 (GCVE-0-2026-33137)

    Vulnerability from cvelistv5 – Published: 2026-05-20 18:59 – Updated: 2026-05-26 18:20
    VLAI
    Title
    XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 15.10.6, < 16.10.17
    Affected: >= 17.0.0-rc-1, < 17.4.9
    Affected: >= 17.5.0, < 17.10.3
    Affected: >= 18.0.0-rc-1, < 18.1.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33137",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:24:33.961502Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:26:33.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 15.10.6, \u003c 16.10.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c 17.10.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0-rc-1, \u003c 18.1.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T18:20:49.991Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23953",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23953"
            }
          ],
          "source": {
            "advisory": "GHSA-qrvh-r3f2-9h4r",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33137",
        "datePublished": "2026-05-20T18:59:17.819Z",
        "dateReserved": "2026-03-17T20:35:49.929Z",
        "dateUpdated": "2026-05-26T18:20:49.991Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40105 (GCVE-0-2026-40105)

    Vulnerability from cvelistv5 – Published: 2026-04-15 00:07 – Updated: 2026-04-15 16:13
    VLAI
    Title
    XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 10.4-rc-1, < 16.10.16
    Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40105",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T14:02:32.181983Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T16:13:48.450Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 10.4-rc-1, \u003c 16.10.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through  16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user\u0027s browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T00:07:23.150Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23472",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23472"
            }
          ],
          "source": {
            "advisory": "GHSA-w4fj-87j5-f25c",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40105",
        "datePublished": "2026-04-15T00:07:23.150Z",
        "dateReserved": "2026-04-09T01:41:38.536Z",
        "dateUpdated": "2026-04-15T16:13:48.450Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33229 (GCVE-0-2026-33229)

    Vulnerability from cvelistv5 – Published: 2026-04-08 14:53 – Updated: 2026-04-10 20:33
    VLAI
    Title
    XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    org.xwiki.platform xwiki-platform-legacy-oldcore Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    org.xwiki.platform xwiki-platform-oldcore Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33229",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T20:32:55.827011Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T20:33:15.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "xwiki-platform-legacy-oldcore",
              "vendor": "org.xwiki.platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "xwiki-platform-oldcore",
              "vendor": "org.xwiki.platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don\u0027t recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T14:53:35.977Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23698",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23698"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23702",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23702"
            }
          ],
          "source": {
            "advisory": "GHSA-h259-74h5-4rh9",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33229",
        "datePublished": "2026-04-08T14:53:35.977Z",
        "dateReserved": "2026-03-18T02:42:27.507Z",
        "dateUpdated": "2026-04-10T20:33:15.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-26000 (GCVE-0-2026-26000)

    Vulnerability from cvelistv5 – Published: 2026-02-12 20:30 – Updated: 2026-02-12 20:54
    VLAI
    Title
    XWiki Platform affected by click-jacking through CSS injection in comments
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
    Assigner
    References
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 17.5.0, < 17.9.0
    Affected: >= 17.0.0-rc-1, < 17.4.6
    Affected: < 16.10.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-26000",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T20:54:20.382398Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T20:54:45.754Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c  17.9.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.10.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it\u0027s possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T20:30:07.263Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.6"
            }
          ],
          "source": {
            "advisory": "GHSA-74rh-c5rh-88vg",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform affected by click-jacking through CSS injection in comments"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-26000",
        "datePublished": "2026-02-12T20:30:07.263Z",
        "dateReserved": "2026-02-09T17:41:55.859Z",
        "dateUpdated": "2026-02-12T20:54:45.754Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24128 (GCVE-0-2026-24128)

    Vulnerability from cvelistv5 – Published: 2026-01-23 23:18 – Updated: 2026-01-26 17:12
    VLAI
    Title
    XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 7.0-milestone-2, < 16.10.12
    Affected: >= 17.0.0-rc-1, < 17.4.5
    Affected: >= 17.5.0-rc-1, < 17.8.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24128",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T17:12:38.601796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T17:12:52.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.0-milestone-2, \u003c 16.10.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.8.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-23T23:18:31.366Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23462",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23462"
            }
          ],
          "source": {
            "advisory": "GHSA-wvqx-m5px-6cmp",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24128",
        "datePublished": "2026-01-23T23:18:31.366Z",
        "dateReserved": "2026-01-21T18:38:22.473Z",
        "dateUpdated": "2026-01-26T17:12:52.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66473 (GCVE-0-2025-66473)

    Vulnerability from cvelistv5 – Published: 2025-12-10 21:51 – Updated: 2025-12-11 15:39
    VLAI
    Title
    XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis
    Summary
    XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: < 16.10.11
    Affected: >= 17.0.0-rc-1, < 17.4.4
    Affected: >= 17.5.0-rc-1, < 17.7.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66473",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:39:41.356268Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:39:53.549Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XWIKI-23355"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.10.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.7.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn\u0027t enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:51:55.836Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23355",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23355"
            }
          ],
          "source": {
            "advisory": "GHSA-cc84-q3v3-mhgf",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki\u0027s REST APIs don\u0027t enforce any limits, leading to unavailability and OOM in large wikis"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66473",
        "datePublished": "2025-12-10T21:51:55.836Z",
        "dateReserved": "2025-12-02T16:23:01.097Z",
        "dateUpdated": "2025-12-11T15:39:53.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66472 (GCVE-0-2025-66472)

    Vulnerability from cvelistv5 – Published: 2025-12-10 21:34 – Updated: 2025-12-11 15:40
    VLAI
    Title
    XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the "No" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 6.2-milestone-1, < 16.10.10
    Affected: org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 17.0.0-rc-1, < 17.4.2
    Affected: org.xwiki.platform:xwiki-platform-web-templates >= 6.2-milestone-1, < 16.10.10
    Affected: org.xwiki.platform:xwiki-platform-web-templates >= 17.0.0-rc-1, < 17.4.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:40:26.291295Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:40:38.484Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources \u003e= 6.2-milestone-1, \u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources \u003e= 17.0.0-rc-1, \u003c 17.4.2"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-web-templates \u003e= 6.2-milestone-1, \u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-web-templates \u003e= 17.0.0-rc-1, \u003c 17.4.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through  17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the \"No\" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:34:47.460Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23244",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23244"
            }
          ],
          "source": {
            "advisory": "GHSA-7vpr-jm38-wr7w",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66472",
        "datePublished": "2025-12-10T21:34:47.460Z",
        "dateReserved": "2025-12-02T15:43:16.586Z",
        "dateUpdated": "2025-12-11T15:40:38.484Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55749 (GCVE-0-2025-55749)

    Vulnerability from cvelistv5 – Published: 2025-12-01 20:09 – Updated: 2025-12-01 20:34
    VLAI
    Title
    The XWiki Jetty package (XJetty) allows accessing any application file through URL
    Summary
    XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 16.7.0, < 16.10.11
    Affected: >= 17.0.0-rc1, < 17.4.4
    Affected: >= 17.5.0, < 17.7.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55749",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-01T20:34:46.305442Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-01T20:34:50.797Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 16.7.0, \u003c 16.10.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc1, \u003c 17.4.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c 17.7.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-01T20:09:46.410Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23438",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23438"
            }
          ],
          "source": {
            "advisory": "GHSA-53gx-j3p6-2rw9",
            "discovery": "UNKNOWN"
          },
          "title": "The XWiki Jetty package (XJetty) allows accessing any application file through URL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-55749",
        "datePublished": "2025-12-01T20:09:46.410Z",
        "dateReserved": "2025-08-14T22:31:17.685Z",
        "dateUpdated": "2025-12-01T20:34:50.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-52472 (GCVE-0-2025-52472)

    Vulnerability from cvelistv5 – Published: 2025-10-06 14:53 – Updated: 2025-10-06 15:13
    VLAI
    Title
    XWiki Platform vulnerable to HQL injection via wiki and space search REST API
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it's not that easy to exploit. The part of the query between the two fields can be enclosed in single quotes to effectively remove them, but the query still needs to remain valid with the query two times in it. This has been patched in versions 17.5.0, 17.4.2, and 16.10.9. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 4.3-milestone-1, < 16.10.9
    Affected: >= 17.0.0-rc-1, < 17.4.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-52472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-06T15:13:19.573291Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-06T15:13:42.161Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.3-milestone-1, \u003c 16.10.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it\u0027s not that easy to exploit. The part of the query between the two fields can be enclosed in single quotes to effectively remove them, but the query still needs to remain valid with the query two times in it. This has been patched in versions 17.5.0, 17.4.2, and 16.10.9. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-06T14:53:46.654Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gprp-h92g-gc2h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gprp-h92g-gc2h"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/743ebf8696ffa55161ed2c5ecf26b09f69e6bcf1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/743ebf8696ffa55161ed2c5ecf26b09f69e6bcf1"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/a45eca2af772abb7324e56d7fd2df1ac937bc445",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/a45eca2af772abb7324e56d7fd2df1ac937bc445"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23247",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23247"
            }
          ],
          "source": {
            "advisory": "GHSA-gprp-h92g-gc2h",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform vulnerable to HQL injection via wiki and space search REST API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-52472",
        "datePublished": "2025-10-06T14:53:46.654Z",
        "dateReserved": "2025-06-17T02:28:39.716Z",
        "dateUpdated": "2025-10-06T15:13:42.161Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-55748 (GCVE-0-2025-55748)

    Vulnerability from cvelistv5 – Published: 2025-09-03 20:19 – Updated: 2025-09-03 20:47
    VLAI
    Title
    XWiki Platform's configuration files can be accessed through jsx and sx endpoints
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 4.2-milestone-2, < 16.10.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55748",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T20:47:42.905524Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T20:47:51.121Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2-milestone-2, \u003c 16.10.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It\u0027s possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg\u0026minify=false`. This is fixed in version 16.10.7."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T20:19:45.501Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23109",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23109"
            }
          ],
          "source": {
            "advisory": "GHSA-m63c-3rmg-r2cf",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform\u0027s configuration files can be accessed through jsx and sx endpoints"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-55748",
        "datePublished": "2025-09-03T20:19:45.501Z",
        "dateReserved": "2025-08-14T22:31:17.685Z",
        "dateUpdated": "2025-09-03T20:47:51.121Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-55747 (GCVE-0-2025-55747)

    Vulnerability from cvelistv5 – Published: 2025-09-03 20:12 – Updated: 2025-09-03 20:48
    VLAI
    Title
    XWiki Platform's configuration files can be accessed through the webjars API
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 6.1-milestone-2, < 16.10.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55747",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T20:48:20.232200Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T20:48:27.579Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1-milestone-2, \u003c 16.10.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions  6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T20:17:27.940Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-19350",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-19350"
            }
          ],
          "source": {
            "advisory": "GHSA-qww7-89xh-x7m7",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform\u0027s configuration files can be accessed through the webjars API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-55747",
        "datePublished": "2025-09-03T20:12:12.978Z",
        "dateReserved": "2025-08-14T22:31:17.685Z",
        "dateUpdated": "2025-09-03T20:48:27.579Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-58049 (GCVE-0-2025-58049)

    Vulnerability from cvelistv5 – Published: 2025-08-28 17:43 – Updated: 2025-08-28 18:15
    VLAI
    Title
    XWiki PDF export jobs store sensitive cookies unencrypted in job statuses
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
    • CWE-257 - Storing Passwords in a Recoverable Format
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 14.4.2, < 16.4.8
    Affected: >= 16.5.0-rc-1, < 16.10.7
    Affected: >= 17.0.0-rc-1, < 17.4.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58049",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-28T18:15:42.371947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-28T18:15:47.326Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 14.4.2, \u003c 16.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn\u0027t store passwords in plain text, and it shouldn\u0027t be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-212",
                  "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-257",
                  "description": "CWE-257: Storing Passwords in a Recoverable Format",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-28T17:43:39.779Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23151",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23151"
            }
          ],
          "source": {
            "advisory": "GHSA-9m7c-m33f-3429",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki PDF export jobs store sensitive cookies unencrypted in job statuses"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-58049",
        "datePublished": "2025-08-28T17:43:39.779Z",
        "dateReserved": "2025-08-22T14:30:32.221Z",
        "dateUpdated": "2025-08-28T18:15:47.326Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54125 (GCVE-0-2025-54125)

    Vulnerability from cvelistv5 – Published: 2025-08-05 23:30 – Updated: 2025-08-06 20:29
    VLAI
    Title
    XWiki Platform: Password and email exposure in xml.vm fields
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 1.1, < 16.4.7
    Affected: >= 16.5.0-rc-1, < 16.10.5
    Affected: >= 17.0.0-rc-1, < 17.2.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54125",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-06T20:28:50.779888Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-06T20:29:03.491Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XWIKI-22810"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.1, \u003c 16.4.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.2.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren\u0027t named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn\u0027t needed. There isn\u0027t any feature in XWiki itself that depends on the XML export."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-05T23:30:38.963Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-22810",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-22810"
            }
          ],
          "source": {
            "advisory": "GHSA-57q2-6cp4-9mq3",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform: Password and email exposure in xml.vm fields"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54125",
        "datePublished": "2025-08-05T23:30:38.963Z",
        "dateReserved": "2025-07-16T23:53:40.509Z",
        "dateUpdated": "2025-08-06T20:29:03.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54124 (GCVE-0-2025-54124)

    Vulnerability from cvelistv5 – Published: 2025-08-05 23:28 – Updated: 2025-08-06 20:28
    VLAI
    Title
    XWiki Platform: Any user with editing rights can access password properties through Database List Properties
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 9.8-rc-1, < 16.4.7
    Affected: >= 16.5.0-rc-1, < 16.10.5
    Affected: >= 17.0.0-rc-1, < 17.2.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54124",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-06T20:27:54.134605Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-06T20:28:10.785Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XWIKI-22811"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.8-rc-1, \u003c 16.4.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.2.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-05T23:28:07.166Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-22811",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-22811"
            }
          ],
          "source": {
            "advisory": "GHSA-r38m-cgpg-qj69",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform: Any user with editing rights can access password properties through Database List Properties"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54124",
        "datePublished": "2025-08-05T23:28:07.166Z",
        "dateReserved": "2025-07-16T23:53:40.509Z",
        "dateUpdated": "2025-08-06T20:28:10.785Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32430 (GCVE-0-2025-32430)

    Vulnerability from cvelistv5 – Published: 2025-08-05 23:27 – Updated: 2025-08-06 20:27
    VLAI
    Title
    XWiki Platform contains Reflected XSS vulnerability in two templates
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 4.2-milestone-3, < 16.4.8
    Affected: >= 16.5.0-rc-1, < 16.10.6
    Affected: >= 17.0.0-rc-1, < 17.3.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32430",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-06T20:26:53.478745Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-06T20:27:07.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2-milestone-3, \u003c 16.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.3.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim\u0027s session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-05T23:27:07.471Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23096",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23096"
            }
          ],
          "source": {
            "advisory": "GHSA-m9x4-w7p9-mxhx",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform contains Reflected XSS vulnerability in two templates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-32430",
        "datePublished": "2025-08-05T23:27:07.471Z",
        "dateReserved": "2025-04-08T10:54:58.367Z",
        "dateUpdated": "2025-08-06T20:27:07.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }