GHSA-XQ3R-2QV5-VQQM

Vulnerability from github – Published: 2026-05-26 17:16 – Updated: 2026-05-26 17:16
VLAI
Summary
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
Details

Impact

It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false.

This can apparently be reproduced on Tomcat instances.

Patches

This has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9, 16.10.17.

Workarounds

There is no known workaround, other than upgrading XWiki.

References

  • https://jira.xwiki.org/browse/XCOMMONS-3547
  • https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

The vulnerability was reported by Michał Kołek.

Severity
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-classloader-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2-milestone-2"
            },
            {
              "fixed": "16.10.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-classloader-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-rc-1"
            },
            {
              "fixed": "17.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-classloader-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.5.0"
            },
            {
              "fixed": "17.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-classloader-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "18.0.0-rc-1"
            },
            {
              "fixed": "18.1.0-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T17:16:40Z",
    "nvd_published_at": "2026-05-20T20:16:36Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIt\u0027s possible to get access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg\u0026minify=false`.\n\nThis can apparently be reproduced on Tomcat instances.\n\n### Patches\n\nThis has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9, 16.10.17.\n\n### Workarounds\n\nThere is no known workaround, other than upgrading XWiki.\n\n### References\n\n* https://jira.xwiki.org/browse/XCOMMONS-3547\n* https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThe vulnerability was reported by Micha\u0142 Ko\u0142ek.",
  "id": "GHSA-xq3r-2qv5-vqqm",
  "modified": "2026-05-26T17:16:40Z",
  "published": "2026-05-26T17:16:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23734"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-commons"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XCOMMONS-3547"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.