cbcvebase.
CVE-2026-33229
published 2026-04-08

CVE-2026-33229: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.3th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.

Affected

8 ranges
VendorProductVersion rangeFixed in
org.xwiki.platformxwiki-platform-legacy-oldcore
org.xwiki.platformxwiki-platform-legacy-oldcore
org.xwiki.platformxwiki-platform-oldcore
org.xwiki.platformxwiki-platform-oldcore
xwikixwiki>= 17.0.0 < 17.4.817.4.8
xwikixwiki>= 17.5.0 < 17.10.117.10.1
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

  • Detect abuse of the Velocity scripting API sandbox bypass in XWiki by monitoring for execution of non-Java scripting languages (e.g., Python) initiated from within XWiki page rendering context, which would indicate exploitation of the improperly protected scripting API.
  • ·Exploitation requires 'script right' in XWiki, which is described as a high-privilege role. Environments where script right is granted to untrusted users are at elevated risk.
  • ·Affected Maven artifacts are org.xwiki.platform:xwiki-platform-legacy-oldcore and org.xwiki.platform:xwiki-platform-oldcore. Fixed versions are 17.4.8 and 17.10.1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.