Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    570 vulnerabilities by xwiki

    CVE-2026-33137 (GCVE-0-2026-33137)

    Vulnerability from nvd – Published: 2026-05-20 18:59 – Updated: 2026-05-26 18:20
    VLAI
    Title
    XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 15.10.6, < 16.10.17
    Affected: >= 17.0.0-rc-1, < 17.4.9
    Affected: >= 17.5.0, < 17.10.3
    Affected: >= 18.0.0-rc-1, < 18.1.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33137",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:24:33.961502Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:26:33.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 15.10.6, \u003c 16.10.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c 17.10.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0-rc-1, \u003c 18.1.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T18:20:49.991Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23953",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23953"
            }
          ],
          "source": {
            "advisory": "GHSA-qrvh-r3f2-9h4r",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33137",
        "datePublished": "2026-05-20T18:59:17.819Z",
        "dateReserved": "2026-03-17T20:35:49.929Z",
        "dateUpdated": "2026-05-26T18:20:49.991Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23734 (GCVE-0-2026-23734)

    Vulnerability from nvd – Published: 2026-05-20 18:39 – Updated: 2026-05-26 16:37
    VLAI
    Title
    XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash
    Summary
    XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-commons Affected: >= 4.2-milestone-2, < 16.10.17
    Affected: >= 17.0.0-rc-1, < 17.4.9
    Affected: >= 17.5.0, < 17.10.3
    Affected: >= 18.0.0-rc-1, < 18.1.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23734",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T14:03:41.927653Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T14:03:55.529Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-commons",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2-milestone-2, \u003c 16.10.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c 17.10.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0-rc-1, \u003c 18.1.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg\u0026minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T16:37:39.621Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm"
            },
            {
              "name": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf"
            },
            {
              "name": "https://jira.xwiki.org/browse/XCOMMONS-3547",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XCOMMONS-3547"
            }
          ],
          "source": {
            "advisory": "GHSA-xq3r-2qv5-vqqm",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23734",
        "datePublished": "2026-05-20T18:39:32.313Z",
        "dateReserved": "2026-01-15T15:45:01.957Z",
        "dateUpdated": "2026-05-26T16:37:39.621Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-51846 (GCVE-0-2025-51846)

    Vulnerability from nvd – Published: 2026-04-30 16:35 – Updated: 2026-04-30 17:15
    VLAI
    Title
    CryptPad unbounded WebSocket frame flood
    Summary
    CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    CryptPad CryptPad Affected: 2025.3.1 , < 2026.2.2 (custom)
    Unaffected: 2026.2.2
    Create a notification for this product.
    Date Public
    2026-03-25 00:00
    Credits
    John Perifanis, Unisystems
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-51846",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-30T17:15:22.933048Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-30T17:15:30.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "CryptPad",
              "vendor": "CryptPad",
              "versions": [
                {
                  "lessThan": "2026.2.2",
                  "status": "affected",
                  "version": "2025.3.1",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.2.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "John Perifanis, Unisystems"
            }
          ],
          "datePublic": "2026-03-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-51846",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "yes"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2026-04-22T15:32:32.020942Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-30T16:35:59.625Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8a0c5dab795f85f9730ec2693320c62e"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-51846"
            },
            {
              "name": "url",
              "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-01.json"
            },
            {
              "name": "url",
              "url": "https://github.com/JohnPerifanis/cryptpad-cve-2025-51846-advisory/blob/main/README.md"
            }
          ],
          "title": "CryptPad unbounded WebSocket frame flood"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-51846",
        "datePublished": "2026-04-30T16:35:59.625Z",
        "dateReserved": "2025-06-16T03:28:36.966Z",
        "dateUpdated": "2026-04-30T17:15:30.109Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40105 (GCVE-0-2026-40105)

    Vulnerability from nvd – Published: 2026-04-15 00:07 – Updated: 2026-04-15 16:13
    VLAI
    Title
    XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 10.4-rc-1, < 16.10.16
    Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40105",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T14:02:32.181983Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T16:13:48.450Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 10.4-rc-1, \u003c 16.10.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through  16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user\u0027s browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T00:07:23.150Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23472",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23472"
            }
          ],
          "source": {
            "advisory": "GHSA-w4fj-87j5-f25c",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40105",
        "datePublished": "2026-04-15T00:07:23.150Z",
        "dateReserved": "2026-04-09T01:41:38.536Z",
        "dateUpdated": "2026-04-15T16:13:48.450Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40104 (GCVE-0-2026-40104)

    Vulnerability from nvd – Published: 2026-04-15 00:01 – Updated: 2026-04-16 14:08
    VLAI
    Title
    XWiki's REST APIs can list all pages/spaces, leading to unavailability
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    xwiki org.xwiki.platform:xwiki-platform-oldcore Affected: >= 1.8-rc-1, < 16.10.16
    Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    xwiki org.xwiki.platform:xwiki-platform-legacy-oldcore Affected: >= 1.8-rc-1, < 16.10.16
    Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40104",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T14:08:13.653691Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T14:08:58.592Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "org.xwiki.platform:xwiki-platform-oldcore",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.8-rc-1, \u003c 16.10.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "org.xwiki.platform:xwiki-platform-legacy-oldcore",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.8-rc-1, \u003c 16.10.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T00:01:58.583Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23550",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23550"
            }
          ],
          "source": {
            "advisory": "GHSA-mrqg-xmgm-rc5g",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki\u0027s REST APIs can list all pages/spaces, leading to unavailability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40104",
        "datePublished": "2026-04-15T00:01:58.583Z",
        "dateReserved": "2026-04-09T01:41:38.536Z",
        "dateUpdated": "2026-04-16T14:08:58.592Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33229 (GCVE-0-2026-33229)

    Vulnerability from nvd – Published: 2026-04-08 14:53 – Updated: 2026-04-10 20:33
    VLAI
    Title
    XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    org.xwiki.platform xwiki-platform-legacy-oldcore Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    org.xwiki.platform xwiki-platform-oldcore Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33229",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T20:32:55.827011Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T20:33:15.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "xwiki-platform-legacy-oldcore",
              "vendor": "org.xwiki.platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "xwiki-platform-oldcore",
              "vendor": "org.xwiki.platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don\u0027t recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T14:53:35.977Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23698",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23698"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23702",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23702"
            }
          ],
          "source": {
            "advisory": "GHSA-h259-74h5-4rh9",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33229",
        "datePublished": "2026-04-08T14:53:35.977Z",
        "dateReserved": "2026-03-18T02:42:27.507Z",
        "dateUpdated": "2026-04-10T20:33:15.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66024 (GCVE-0-2025-66024)

    Vulnerability from nvd – Published: 2026-03-04 21:47 – Updated: 2026-03-05 16:20
    VLAI
    Title
    XWiki Blog Application home page vulnerable to Stored XSS via Post Title
    Summary
    The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation. The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping. No known workarounds are available.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66024",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-05T16:19:54.455309Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-05T16:20:45.664Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "application-blog-ui",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 9.15.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML \u003ctitle\u003e tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation. The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-04T21:47:11.143Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/application-blog/security/advisories/GHSA-h2xq-h7f9-vh6c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/application-blog/security/advisories/GHSA-h2xq-h7f9-vh6c"
            },
            {
              "name": "https://github.com/xwiki-contrib/application-blog/commit/cca87f0a0edc2e7e049d46d51f4a4d8f78b714ba",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/application-blog/commit/cca87f0a0edc2e7e049d46d51f4a4d8f78b714ba"
            },
            {
              "name": "https://jira.xwiki.org/browse/BLOG-245",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/BLOG-245"
            }
          ],
          "source": {
            "advisory": "GHSA-h2xq-h7f9-vh6c",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Blog Application home page vulnerable to Stored XSS via Post Title"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66024",
        "datePublished": "2026-03-04T21:47:11.143Z",
        "dateReserved": "2025-11-21T01:08:02.613Z",
        "dateUpdated": "2026-03-05T16:20:45.664Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-26000 (GCVE-0-2026-26000)

    Vulnerability from nvd – Published: 2026-02-12 20:30 – Updated: 2026-02-12 20:54
    VLAI
    Title
    XWiki Platform affected by click-jacking through CSS injection in comments
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
    Assigner
    References
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 17.5.0, < 17.9.0
    Affected: >= 17.0.0-rc-1, < 17.4.6
    Affected: < 16.10.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-26000",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T20:54:20.382398Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T20:54:45.754Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c  17.9.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.10.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it\u0027s possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T20:30:07.263Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.6"
            }
          ],
          "source": {
            "advisory": "GHSA-74rh-c5rh-88vg",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform affected by click-jacking through CSS injection in comments"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-26000",
        "datePublished": "2026-02-12T20:30:07.263Z",
        "dateReserved": "2026-02-09T17:41:55.859Z",
        "dateUpdated": "2026-02-12T20:54:45.754Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24128 (GCVE-0-2026-24128)

    Vulnerability from nvd – Published: 2026-01-23 23:18 – Updated: 2026-01-26 17:12
    VLAI
    Title
    XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 7.0-milestone-2, < 16.10.12
    Affected: >= 17.0.0-rc-1, < 17.4.5
    Affected: >= 17.5.0-rc-1, < 17.8.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24128",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T17:12:38.601796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T17:12:52.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.0-milestone-2, \u003c 16.10.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.8.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-23T23:18:31.366Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23462",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23462"
            }
          ],
          "source": {
            "advisory": "GHSA-wvqx-m5px-6cmp",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24128",
        "datePublished": "2026-01-23T23:18:31.366Z",
        "dateReserved": "2026-01-21T18:38:22.473Z",
        "dateUpdated": "2026-01-26T17:12:52.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65091 (GCVE-0-2025-65091)

    Vulnerability from nvd – Published: 2026-01-10 03:06 – Updated: 2026-01-12 17:35
    VLAI
    Title
    XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService
    Summary
    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65091",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-12T17:35:13.091420Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-12T17:35:19.706Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "macro-fullcalendar",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.4.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-10T03:06:16.775Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5"
            },
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994"
            }
          ],
          "source": {
            "advisory": "GHSA-2g22-wg49-fgv5",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65091",
        "datePublished": "2026-01-10T03:06:16.775Z",
        "dateReserved": "2025-11-17T20:55:34.691Z",
        "dateUpdated": "2026-01-12T17:35:19.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65090 (GCVE-0-2025-65090)

    Vulnerability from nvd – Published: 2026-01-10 03:05 – Updated: 2026-01-12 17:36
    VLAI
    Title
    XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
    Summary
    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65090",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-12T17:36:31.744611Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-12T17:36:38.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "macro-fullcalendar",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-10T03:06:03.471Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m"
            },
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884"
            },
            {
              "name": "https://jira.xwiki.org/browse/FULLCAL-82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/FULLCAL-82"
            }
          ],
          "source": {
            "advisory": "GHSA-637h-ch24-xp9m",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65090",
        "datePublished": "2026-01-10T03:05:06.531Z",
        "dateReserved": "2025-11-17T20:55:34.691Z",
        "dateUpdated": "2026-01-12T17:36:38.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66474 (GCVE-0-2025-66474)

    Vulnerability from nvd – Published: 2025-12-10 21:59 – Updated: 2025-12-11 15:39
    VLAI
    Title
    XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
    Summary
    XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-rendering Affected: < 16.10.10
    Affected: >= 17.0.0-rc-1, < 17.4.3
    Affected: >= 17.5.0-rc-1, < 17.6.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66474",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:39:13.257183Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:39:27.299Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XRENDERING-793"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XRENDERING-792"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XRENDERING-693"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-rendering",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.6.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-95",
                  "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:59:58.727Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11"
            },
            {
              "name": "https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49"
            },
            {
              "name": "https://jira.xwiki.org/browse/XRENDERING-693",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XRENDERING-693"
            },
            {
              "name": "https://jira.xwiki.org/browse/XRENDERING-792",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XRENDERING-792"
            },
            {
              "name": "https://jira.xwiki.org/browse/XRENDERING-793",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XRENDERING-793"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23378",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23378"
            }
          ],
          "source": {
            "advisory": "GHSA-9xc6-c2rm-f27p",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66474",
        "datePublished": "2025-12-10T21:59:58.727Z",
        "dateReserved": "2025-12-02T16:23:01.098Z",
        "dateUpdated": "2025-12-11T15:39:27.299Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66473 (GCVE-0-2025-66473)

    Vulnerability from nvd – Published: 2025-12-10 21:51 – Updated: 2025-12-11 15:39
    VLAI
    Title
    XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis
    Summary
    XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: < 16.10.11
    Affected: >= 17.0.0-rc-1, < 17.4.4
    Affected: >= 17.5.0-rc-1, < 17.7.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66473",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:39:41.356268Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:39:53.549Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XWIKI-23355"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.10.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.7.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn\u0027t enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:51:55.836Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23355",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23355"
            }
          ],
          "source": {
            "advisory": "GHSA-cc84-q3v3-mhgf",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki\u0027s REST APIs don\u0027t enforce any limits, leading to unavailability and OOM in large wikis"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66473",
        "datePublished": "2025-12-10T21:51:55.836Z",
        "dateReserved": "2025-12-02T16:23:01.097Z",
        "dateUpdated": "2025-12-11T15:39:53.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66472 (GCVE-0-2025-66472)

    Vulnerability from nvd – Published: 2025-12-10 21:34 – Updated: 2025-12-11 15:40
    VLAI
    Title
    XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the "No" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 6.2-milestone-1, < 16.10.10
    Affected: org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 17.0.0-rc-1, < 17.4.2
    Affected: org.xwiki.platform:xwiki-platform-web-templates >= 6.2-milestone-1, < 16.10.10
    Affected: org.xwiki.platform:xwiki-platform-web-templates >= 17.0.0-rc-1, < 17.4.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:40:26.291295Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:40:38.484Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources \u003e= 6.2-milestone-1, \u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources \u003e= 17.0.0-rc-1, \u003c 17.4.2"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-web-templates \u003e= 6.2-milestone-1, \u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-web-templates \u003e= 17.0.0-rc-1, \u003c 17.4.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through  17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the \"No\" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:34:47.460Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23244",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23244"
            }
          ],
          "source": {
            "advisory": "GHSA-7vpr-jm38-wr7w",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66472",
        "datePublished": "2025-12-10T21:34:47.460Z",
        "dateReserved": "2025-12-02T15:43:16.586Z",
        "dateUpdated": "2025-12-11T15:40:38.484Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65036 (GCVE-0-2025-65036)

    Vulnerability from nvd – Published: 2025-12-05 16:10 – Updated: 2025-12-05 16:27
    VLAI
    Title
    XWiki Remote Macros vulnerable to remote code execution using the confluence details summary macro
    Summary
    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    xwikisas xwiki-pro-macros Affected: < 1.27.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65036",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-05T16:26:53.406955Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-05T16:27:31.564Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-pro-macros",
              "vendor": "xwikisas",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.27.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-05T16:10:08.595Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f"
            }
          ],
          "source": {
            "advisory": "GHSA-472x-fwh9-r82f",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Remote Macros vulnerable to remote code execution using the confluence details summary macro"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65036",
        "datePublished": "2025-12-05T16:10:08.595Z",
        "dateReserved": "2025-11-13T15:36:51.684Z",
        "dateUpdated": "2025-12-05T16:27:31.564Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33137 (GCVE-0-2026-33137)

    Vulnerability from cvelistv5 – Published: 2026-05-20 18:59 – Updated: 2026-05-26 18:20
    VLAI
    Title
    XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 15.10.6, < 16.10.17
    Affected: >= 17.0.0-rc-1, < 17.4.9
    Affected: >= 17.5.0, < 17.10.3
    Affected: >= 18.0.0-rc-1, < 18.1.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33137",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:24:33.961502Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:26:33.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 15.10.6, \u003c 16.10.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c 17.10.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0-rc-1, \u003c 18.1.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T18:20:49.991Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23953",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23953"
            }
          ],
          "source": {
            "advisory": "GHSA-qrvh-r3f2-9h4r",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33137",
        "datePublished": "2026-05-20T18:59:17.819Z",
        "dateReserved": "2026-03-17T20:35:49.929Z",
        "dateUpdated": "2026-05-26T18:20:49.991Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23734 (GCVE-0-2026-23734)

    Vulnerability from cvelistv5 – Published: 2026-05-20 18:39 – Updated: 2026-05-26 16:37
    VLAI
    Title
    XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash
    Summary
    XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-commons Affected: >= 4.2-milestone-2, < 16.10.17
    Affected: >= 17.0.0-rc-1, < 17.4.9
    Affected: >= 17.5.0, < 17.10.3
    Affected: >= 18.0.0-rc-1, < 18.1.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23734",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T14:03:41.927653Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T14:03:55.529Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-commons",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2-milestone-2, \u003c 16.10.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c 17.10.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0-rc-1, \u003c 18.1.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg\u0026minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T16:37:39.621Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm"
            },
            {
              "name": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf"
            },
            {
              "name": "https://jira.xwiki.org/browse/XCOMMONS-3547",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XCOMMONS-3547"
            }
          ],
          "source": {
            "advisory": "GHSA-xq3r-2qv5-vqqm",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23734",
        "datePublished": "2026-05-20T18:39:32.313Z",
        "dateReserved": "2026-01-15T15:45:01.957Z",
        "dateUpdated": "2026-05-26T16:37:39.621Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-51846 (GCVE-0-2025-51846)

    Vulnerability from cvelistv5 – Published: 2026-04-30 16:35 – Updated: 2026-04-30 17:15
    VLAI
    Title
    CryptPad unbounded WebSocket frame flood
    Summary
    CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    CryptPad CryptPad Affected: 2025.3.1 , < 2026.2.2 (custom)
    Unaffected: 2026.2.2
    Create a notification for this product.
    Date Public
    2026-03-25 00:00
    Credits
    John Perifanis, Unisystems
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-51846",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-30T17:15:22.933048Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-30T17:15:30.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "CryptPad",
              "vendor": "CryptPad",
              "versions": [
                {
                  "lessThan": "2026.2.2",
                  "status": "affected",
                  "version": "2025.3.1",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.2.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "John Perifanis, Unisystems"
            }
          ],
          "datePublic": "2026-03-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-51846",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "yes"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2026-04-22T15:32:32.020942Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-30T16:35:59.625Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8a0c5dab795f85f9730ec2693320c62e"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-51846"
            },
            {
              "name": "url",
              "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-01.json"
            },
            {
              "name": "url",
              "url": "https://github.com/JohnPerifanis/cryptpad-cve-2025-51846-advisory/blob/main/README.md"
            }
          ],
          "title": "CryptPad unbounded WebSocket frame flood"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-51846",
        "datePublished": "2026-04-30T16:35:59.625Z",
        "dateReserved": "2025-06-16T03:28:36.966Z",
        "dateUpdated": "2026-04-30T17:15:30.109Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40105 (GCVE-0-2026-40105)

    Vulnerability from cvelistv5 – Published: 2026-04-15 00:07 – Updated: 2026-04-15 16:13
    VLAI
    Title
    XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 10.4-rc-1, < 16.10.16
    Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40105",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T14:02:32.181983Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T16:13:48.450Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 10.4-rc-1, \u003c 16.10.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through  16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user\u0027s browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T00:07:23.150Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23472",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23472"
            }
          ],
          "source": {
            "advisory": "GHSA-w4fj-87j5-f25c",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40105",
        "datePublished": "2026-04-15T00:07:23.150Z",
        "dateReserved": "2026-04-09T01:41:38.536Z",
        "dateUpdated": "2026-04-15T16:13:48.450Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40104 (GCVE-0-2026-40104)

    Vulnerability from cvelistv5 – Published: 2026-04-15 00:01 – Updated: 2026-04-16 14:08
    VLAI
    Title
    XWiki's REST APIs can list all pages/spaces, leading to unavailability
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    xwiki org.xwiki.platform:xwiki-platform-oldcore Affected: >= 1.8-rc-1, < 16.10.16
    Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    xwiki org.xwiki.platform:xwiki-platform-legacy-oldcore Affected: >= 1.8-rc-1, < 16.10.16
    Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40104",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T14:08:13.653691Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T14:08:58.592Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "org.xwiki.platform:xwiki-platform-oldcore",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.8-rc-1, \u003c 16.10.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "org.xwiki.platform:xwiki-platform-legacy-oldcore",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.8-rc-1, \u003c 16.10.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T00:01:58.583Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23550",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23550"
            }
          ],
          "source": {
            "advisory": "GHSA-mrqg-xmgm-rc5g",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki\u0027s REST APIs can list all pages/spaces, leading to unavailability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40104",
        "datePublished": "2026-04-15T00:01:58.583Z",
        "dateReserved": "2026-04-09T01:41:38.536Z",
        "dateUpdated": "2026-04-16T14:08:58.592Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33229 (GCVE-0-2026-33229)

    Vulnerability from cvelistv5 – Published: 2026-04-08 14:53 – Updated: 2026-04-10 20:33
    VLAI
    Title
    XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    org.xwiki.platform xwiki-platform-legacy-oldcore Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    org.xwiki.platform xwiki-platform-oldcore Affected: >= 17.0.0-rc-1, < 17.4.8
    Affected: >= 17.5.0-rc-1, < 17.10.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33229",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T20:32:55.827011Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T20:33:15.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "xwiki-platform-legacy-oldcore",
              "vendor": "org.xwiki.platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            },
            {
              "product": "xwiki-platform-oldcore",
              "vendor": "org.xwiki.platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.10.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don\u0027t recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T14:53:35.977Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23698",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23698"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23702",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23702"
            }
          ],
          "source": {
            "advisory": "GHSA-h259-74h5-4rh9",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33229",
        "datePublished": "2026-04-08T14:53:35.977Z",
        "dateReserved": "2026-03-18T02:42:27.507Z",
        "dateUpdated": "2026-04-10T20:33:15.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66024 (GCVE-0-2025-66024)

    Vulnerability from cvelistv5 – Published: 2026-03-04 21:47 – Updated: 2026-03-05 16:20
    VLAI
    Title
    XWiki Blog Application home page vulnerable to Stored XSS via Post Title
    Summary
    The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation. The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping. No known workarounds are available.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66024",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-05T16:19:54.455309Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-05T16:20:45.664Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "application-blog-ui",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 9.15.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML \u003ctitle\u003e tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation. The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-04T21:47:11.143Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/application-blog/security/advisories/GHSA-h2xq-h7f9-vh6c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/application-blog/security/advisories/GHSA-h2xq-h7f9-vh6c"
            },
            {
              "name": "https://github.com/xwiki-contrib/application-blog/commit/cca87f0a0edc2e7e049d46d51f4a4d8f78b714ba",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/application-blog/commit/cca87f0a0edc2e7e049d46d51f4a4d8f78b714ba"
            },
            {
              "name": "https://jira.xwiki.org/browse/BLOG-245",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/BLOG-245"
            }
          ],
          "source": {
            "advisory": "GHSA-h2xq-h7f9-vh6c",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Blog Application home page vulnerable to Stored XSS via Post Title"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66024",
        "datePublished": "2026-03-04T21:47:11.143Z",
        "dateReserved": "2025-11-21T01:08:02.613Z",
        "dateUpdated": "2026-03-05T16:20:45.664Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-26000 (GCVE-0-2026-26000)

    Vulnerability from cvelistv5 – Published: 2026-02-12 20:30 – Updated: 2026-02-12 20:54
    VLAI
    Title
    XWiki Platform affected by click-jacking through CSS injection in comments
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
    Assigner
    References
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 17.5.0, < 17.9.0
    Affected: >= 17.0.0-rc-1, < 17.4.6
    Affected: < 16.10.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-26000",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T20:54:20.382398Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T20:54:45.754Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0, \u003c  17.9.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.10.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it\u0027s possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T20:30:07.263Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.6"
            }
          ],
          "source": {
            "advisory": "GHSA-74rh-c5rh-88vg",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Platform affected by click-jacking through CSS injection in comments"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-26000",
        "datePublished": "2026-02-12T20:30:07.263Z",
        "dateReserved": "2026-02-09T17:41:55.859Z",
        "dateUpdated": "2026-02-12T20:54:45.754Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24128 (GCVE-0-2026-24128)

    Vulnerability from cvelistv5 – Published: 2026-01-23 23:18 – Updated: 2026-01-26 17:12
    VLAI
    Title
    XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: >= 7.0-milestone-2, < 16.10.12
    Affected: >= 17.0.0-rc-1, < 17.4.5
    Affected: >= 17.5.0-rc-1, < 17.8.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24128",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T17:12:38.601796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T17:12:52.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.0-milestone-2, \u003c 16.10.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.8.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-23T23:18:31.366Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23462",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23462"
            }
          ],
          "source": {
            "advisory": "GHSA-wvqx-m5px-6cmp",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24128",
        "datePublished": "2026-01-23T23:18:31.366Z",
        "dateReserved": "2026-01-21T18:38:22.473Z",
        "dateUpdated": "2026-01-26T17:12:52.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65091 (GCVE-0-2025-65091)

    Vulnerability from cvelistv5 – Published: 2026-01-10 03:06 – Updated: 2026-01-12 17:35
    VLAI
    Title
    XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService
    Summary
    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65091",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-12T17:35:13.091420Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-12T17:35:19.706Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "macro-fullcalendar",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.4.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-10T03:06:16.775Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5"
            },
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994"
            }
          ],
          "source": {
            "advisory": "GHSA-2g22-wg49-fgv5",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65091",
        "datePublished": "2026-01-10T03:06:16.775Z",
        "dateReserved": "2025-11-17T20:55:34.691Z",
        "dateUpdated": "2026-01-12T17:35:19.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65090 (GCVE-0-2025-65090)

    Vulnerability from cvelistv5 – Published: 2026-01-10 03:05 – Updated: 2026-01-12 17:36
    VLAI
    Title
    XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
    Summary
    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65090",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-12T17:36:31.744611Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-12T17:36:38.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "macro-fullcalendar",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-10T03:06:03.471Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m"
            },
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884"
            },
            {
              "name": "https://jira.xwiki.org/browse/FULLCAL-82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/FULLCAL-82"
            }
          ],
          "source": {
            "advisory": "GHSA-637h-ch24-xp9m",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65090",
        "datePublished": "2026-01-10T03:05:06.531Z",
        "dateReserved": "2025-11-17T20:55:34.691Z",
        "dateUpdated": "2026-01-12T17:36:38.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66474 (GCVE-0-2025-66474)

    Vulnerability from cvelistv5 – Published: 2025-12-10 21:59 – Updated: 2025-12-11 15:39
    VLAI
    Title
    XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
    Summary
    XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-rendering Affected: < 16.10.10
    Affected: >= 17.0.0-rc-1, < 17.4.3
    Affected: >= 17.5.0-rc-1, < 17.6.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66474",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:39:13.257183Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:39:27.299Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XRENDERING-793"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XRENDERING-792"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XRENDERING-693"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-rendering",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.6.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-95",
                  "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:59:58.727Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11"
            },
            {
              "name": "https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49"
            },
            {
              "name": "https://jira.xwiki.org/browse/XRENDERING-693",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XRENDERING-693"
            },
            {
              "name": "https://jira.xwiki.org/browse/XRENDERING-792",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XRENDERING-792"
            },
            {
              "name": "https://jira.xwiki.org/browse/XRENDERING-793",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XRENDERING-793"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23378",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23378"
            }
          ],
          "source": {
            "advisory": "GHSA-9xc6-c2rm-f27p",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66474",
        "datePublished": "2025-12-10T21:59:58.727Z",
        "dateReserved": "2025-12-02T16:23:01.098Z",
        "dateUpdated": "2025-12-11T15:39:27.299Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66473 (GCVE-0-2025-66473)

    Vulnerability from cvelistv5 – Published: 2025-12-10 21:51 – Updated: 2025-12-11 15:39
    VLAI
    Title
    XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis
    Summary
    XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: < 16.10.11
    Affected: >= 17.0.0-rc-1, < 17.4.4
    Affected: >= 17.5.0-rc-1, < 17.7.0-rc-1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66473",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:39:41.356268Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:39:53.549Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://jira.xwiki.org/browse/XWIKI-23355"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.10.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-rc-1, \u003c 17.4.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.5.0-rc-1, \u003c 17.7.0-rc-1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn\u0027t enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:51:55.836Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23355",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23355"
            }
          ],
          "source": {
            "advisory": "GHSA-cc84-q3v3-mhgf",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki\u0027s REST APIs don\u0027t enforce any limits, leading to unavailability and OOM in large wikis"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66473",
        "datePublished": "2025-12-10T21:51:55.836Z",
        "dateReserved": "2025-12-02T16:23:01.097Z",
        "dateUpdated": "2025-12-11T15:39:53.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66472 (GCVE-0-2025-66472)

    Vulnerability from cvelistv5 – Published: 2025-12-10 21:34 – Updated: 2025-12-11 15:40
    VLAI
    Title
    XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication
    Summary
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the "No" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    xwiki xwiki-platform Affected: org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 6.2-milestone-1, < 16.10.10
    Affected: org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 17.0.0-rc-1, < 17.4.2
    Affected: org.xwiki.platform:xwiki-platform-web-templates >= 6.2-milestone-1, < 16.10.10
    Affected: org.xwiki.platform:xwiki-platform-web-templates >= 17.0.0-rc-1, < 17.4.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:40:26.291295Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:40:38.484Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-platform",
              "vendor": "xwiki",
              "versions": [
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources \u003e= 6.2-milestone-1, \u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources \u003e= 17.0.0-rc-1, \u003c 17.4.2"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-web-templates \u003e= 6.2-milestone-1, \u003c 16.10.10"
                },
                {
                  "status": "affected",
                  "version": "org.xwiki.platform:xwiki-platform-web-templates \u003e= 17.0.0-rc-1, \u003c 17.4.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through  17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the \"No\" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T21:34:47.460Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-23244",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-23244"
            }
          ],
          "source": {
            "advisory": "GHSA-7vpr-jm38-wr7w",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66472",
        "datePublished": "2025-12-10T21:34:47.460Z",
        "dateReserved": "2025-12-02T15:43:16.586Z",
        "dateUpdated": "2025-12-11T15:40:38.484Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65036 (GCVE-0-2025-65036)

    Vulnerability from cvelistv5 – Published: 2025-12-05 16:10 – Updated: 2025-12-05 16:27
    VLAI
    Title
    XWiki Remote Macros vulnerable to remote code execution using the confluence details summary macro
    Summary
    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    xwikisas xwiki-pro-macros Affected: < 1.27.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65036",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-05T16:26:53.406955Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-05T16:27:31.564Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xwiki-pro-macros",
              "vendor": "xwikisas",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.27.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-05T16:10:08.595Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f"
            }
          ],
          "source": {
            "advisory": "GHSA-472x-fwh9-r82f",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Remote Macros vulnerable to remote code execution using the confluence details summary macro"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65036",
        "datePublished": "2025-12-05T16:10:08.595Z",
        "dateReserved": "2025-11-13T15:36:51.684Z",
        "dateUpdated": "2025-12-05T16:27:31.564Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }