GHSA-W4FJ-87J5-F25C
Vulnerability from github – Published: 2026-04-14 22:33 – Updated: 2026-04-14 22:33
VLAI?
Summary
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
Details
Impact
A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance.
Patches
The problem has been patched by properly escaping the URL parameters.
Workarounds
The patch can be applied manually to templates/changesdoc.vm in the deployed WAR.
Attribution
XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web-templates"
},
"ranges": [
{
"events": [
{
"introduced": "10.4-rc-1"
},
{
"fixed": "16.10.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web-templates"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0-rc-1"
},
{
"fixed": "17.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web-templates"
},
"ranges": [
{
"events": [
{
"introduced": "17.5.0-rc-1"
},
{
"fixed": "17.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40105"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T22:33:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nA reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user\u0027s browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance.\n\n### Patches\nThe problem has been patched by properly escaping the URL parameters.\n\n### Workarounds\nThe [patch](https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c#diff-a5e75a4e3820a63c02a32666dda67c73ee7885ab8e7f67e52cfcb3be5a13326e) can be applied manually to `templates/changesdoc.vm` in the deployed WAR.\n\n### Attribution\n\nXWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.",
"id": "GHSA-w4fj-87j5-f25c",
"modified": "2026-04-14T22:33:56Z",
"published": "2026-04-14T22:33:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-23472"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "XWiki has Reflected Cross-Site Scripting (XSS) in page history compare"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…