CVE-2026-33137
published 2026-05-20CVE-2026-33137: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions…
PriorityP260critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.59%
44.0th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
ghsa·2026-05-26
CVE-2026-33137 [CRITICAL] CWE-862 XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
### Impact
`POST /wikis/{wikiName}` executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki
### Patches
This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
### Workarounds
XWiki is not aware of any workarounds other than adding a rule into an HTTP proxy to prevent access POST request in the `/wikis/{wikiName}[/]` endpoint.
### Resources
* https://jira.xwiki.org/browse/XWIKI-23953
* https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f
### For more information
If there are any questions or comments about this advisor
VulDB
xwiki xwiki-platform up to 16.10.16/17.4.8/17.10.2/18.0.x API /wikis/ authorization
vuldb·2026-05-20·CVSS 9.3
CVE-2026-33137 [CRITICAL] xwiki xwiki-platform up to 16.10.16/17.4.8/17.10.2/18.0.x API /wikis/ authorization
A vulnerability was found in xwiki xwiki-platform up to 16.10.16/17.4.8/17.10.2/18.0.x. It has been classified as critical. The impacted element is an unknown function of the file /wikis/ of the component API. The manipulation leads to missing authorization.
This vulnerability is listed as CVE-2026-33137. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-20
Published