GHSA-H259-74H5-4RH9

Vulnerability from github – Published: 2026-04-08 15:00 – Updated: 2026-04-08 19:26
VLAI?
Summary
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
Details

Impact

An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users.

Patches

The vulnerability has been patched in XWiki 17.4.8 and 17.10.1 by requiring programming right to access the affected scripting API.

Workarounds

We're not aware of any workarounds except for being careful whom you grant script right.

Attribution

We thank Youssef Azefzaf for discovering and reporting this vulnerability.

Severity ?
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-rc-1"
            },
            {
              "fixed": "17.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.5.0-rc-1"
            },
            {
              "fixed": "17.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-legacy-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-rc-1"
            },
            {
              "fixed": "17.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-legacy-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.5.0-rc-1"
            },
            {
              "fixed": "17.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T15:00:17Z",
    "nvd_published_at": "2026-04-08T16:16:23Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don\u0027t recommend giving to untrusted users.\n\n### Patches\nThe vulnerability has been patched in XWiki 17.4.8 and 17.10.1 by requiring programming right to access the affected scripting API.\n\n### Workarounds\nWe\u0027re not aware of any workarounds except for being careful whom you grant script right.\n\n### Attribution\nWe thank Youssef Azefzaf for discovering and reporting this vulnerability.",
  "id": "GHSA-h259-74h5-4rh9",
  "modified": "2026-04-08T19:26:25Z",
  "published": "2026-04-08T15:00:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-23698"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-23702"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.