CVE-2026-33229
published 2026-04-08CVE-2026-33229: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.3th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| org.xwiki.platform | xwiki-platform-legacy-oldcore | — | — |
| org.xwiki.platform | xwiki-platform-legacy-oldcore | — | — |
| org.xwiki.platform | xwiki-platform-oldcore | — | — |
| org.xwiki.platform | xwiki-platform-oldcore | — | — |
| xwiki | xwiki | >= 17.0.0 < 17.4.8 | 17.4.8 |
| xwiki | xwiki | >= 17.5.0 < 17.10.1 | 17.10.1 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect abuse of the Velocity scripting API sandbox bypass in XWiki by monitoring for execution of non-Java scripting languages (e.g., Python) initiated from within XWiki page rendering context, which would indicate exploitation of the improperly protected scripting API. ↗
- ·Exploitation requires 'script right' in XWiki, which is described as a high-privilege role. Environments where script right is granted to untrusted users are at elevated risk. ↗
- ·Affected Maven artifacts are org.xwiki.platform:xwiki-platform-legacy-oldcore and org.xwiki.platform:xwiki-platform-oldcore. Fixed versions are 17.4.8 and 17.10.1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
osv·2026-04-08
CVE-2026-33229 [HIGH] XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
### Impact
An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users.
### Patches
The vulnerability has been patched in XWiki 17.4.8 and 17.10.1 by requiring programming right to access the affected scripting API.
### Workarounds
We're not aware of any workarounds except for being careful whom you grant script right.
### A
GHSA
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
ghsa·2026-04-08
CVE-2026-33229 [HIGH] CWE-862 XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
### Impact
An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users.
### Patches
The vulnerability has been patched in XWiki 17.4.8 and 17.10.1 by requiring programming right to access the affected scripting API.
### Workarounds
We're not aware of any workarounds except for being careful whom you grant script right.
### A
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-35571 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35571 [HIGH] CVE-2026-35571 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35571 :
Java vulnerability analysis and mitigation
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.
Source : NVD
## 4.8
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.5
Exploitation Pro
Wiz
CVE-2026-5795 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-5795 [HIGH] CVE-2026-5795 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5795 :
Java vulnerability analysis and mitigation
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.
Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.
A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
Source : NVD
## 7.4
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.2
Exploitation Probability (EPSS) N/A
Affected packages an
Wiz
CVE-2026-35581 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35581 [HIGH] CVE-2026-35581 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35581 :
Java vulnerability analysis and mitigation
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.
Source : NVD
## 7.2
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.5
Exploitation Probability (EPSS) 0.1
Affe
Wiz
CVE-2026-35583 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35583 [HIGH] CVE-2026-35583 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35583 :
Java vulnerability analysis and mitigation
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for , /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0.
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitatio
Wiz
CVE-2026-33229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33229 [HIGH] CVE-2026-33229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33229 :
Java vulnerability analysis and mitigation
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
Source : NVD
## 8.6
Score
Published April 8, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Java
Has Pu
Wiz
CVE-2026-37977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-37977 [HIGH] CVE-2026-37977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-37977 :
Java vulnerability analysis and mitigation
azp
Access-Control-Allow-Origin
azp
webOrigins: ["*"]
Source : NVD
## 3.7
Score
Published April 6, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
Java
Keycloak
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
keycloak
keycloak-fips
Sources
NVD
Maven Severity LOW No Fix Added at: Apr 09, 2026
MinimOS Severity LOW Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Java vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-5739 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-5739 [HIGH] CVE-2026-5739 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5739 :
Java vulnerability analysis and mitigation
A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 6.9
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.5
Exploitation Probability (EPSS) N/A
Affected packages and librar
Wiz
CVE-2026-33227 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33227 [MEDIUM] CVE-2026-33227 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33227 :
Java vulnerability analysis and mitigation
Improper validation and restriction of a classpath path name vulnerability in
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.
In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.
This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache Active
Wiz
CVE-2026-35580 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35580 [HIGH] CVE-2026-35580 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35580 :
Java vulnerability analysis and mitigation
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0.
Source : NVD
## 9.1
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3
Exp
Wiz
CVE-2026-5736 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-5736 [HIGH] CVE-2026-5736 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5736 :
Java vulnerability analysis and mitigation
A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 6.9
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
E
Wiz
CVE-2026-33439 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33439 [CRITICAL] CVE-2026-33439 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33439 :
Java vulnerability analysis and mitigation
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains jato:form tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.
Source : NVD
## 9.3
Score
Published April 7
Wiz
GHSA-jx2w-vp7f-456q Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
[CRITICAL] GHSA-jx2w-vp7f-456q Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-jx2w-vp7f-456q :
Java vulnerability analysis and mitigation
## Summary
A path traversal vulnerability was discovered in the quarkus-openapi-generator extension
## Details
unzip()
ApicurioCodegenWrapper.java
new File(toOutputDir, entry.getName())
../../malicious.java
OpenApiGeneratorStreamCodeGen.java
normalize()
startsWith()
## PoC
This vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time.
../../proof.txt
Configure quarkus-openapi-generator to use the server (Apicurio) code generation path
Serve the malicious
Wiz
CVE-2026-35568 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35568 [HIGH] CVE-2026-35568 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35568 :
Java vulnerability analysis and mitigation
MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to 1.0.0, the java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, or network adjacent. This allows an attacker to make any tool call to the server as if they were a locally running MCP connected AI agent. This vulnerability is fixed in 1.0.0.
Source : NVD
## 7.6
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
2026-04-08
Published