cbcvebase.

Xwiki Xwiki-Commons vulnerabilities

9 known vulnerabilities affecting xwiki/xwiki-commons.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH1MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-23734P2CRITICALCVSS 9.3v>= 4.2-milestone-2, < 16.10.17v>= 17.0.0-rc-1, < 17.4.9+2 more2026-05-20
CVE-2026-23734 [CRITICAL] CWE-23 CVE-2026-23734: XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10 XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the
nvd
CVE-2024-31996P2CRITICALCVSS 9.8v>= 3.0.1, < 14.10.19v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31996 [CRITICAL] CWE-95 CVE-2024-31996: XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.1
nvd
CVE-2023-26055P3CRITICALCVSS 9.9v>= 3.1-milestone-1, < 13.10.9v>= 14.0-rc-1, < 14.4.4+1 more2023-03-02
CVE-2023-26055 [CRITICAL] CWE-150 CVE-2023-26055: XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in a
nvd
CVE-2022-24897P3HIGHCVSS 7.5v>= 2.3, < 12.6.7v12.7-rc-1, < 12.10.32022-05-02
CVE-2022-24897 [HIGH] CWE-22 CVE-2022-24897: APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Star APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Scri
nvd
CVE-2023-29528P3CRITICALCVSS 9.0v>= 4.2-milestone-1, < 14.102023-04-20
CVE-2023-29528 [CRITICAL] CWE-79 CVE-2023-29528: XWiki Commons are technical libraries common to several other top level XWiki projects. The "restric XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any cod
nvd
CVE-2023-29201P3CRITICALCVSS 9.0v>= 4.2-milestone-1, < 14.6-rc-12023-04-15
CVE-2023-29201 [CRITICAL] CWE-79 CVE-2023-29201: XWiki Commons are technical libraries common to several other top level XWiki projects. The "restric XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `` and ``-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like ``. As a consequence, any code relying on this "re
nvd
CVE-2023-31126P3CRITICALCVSS 9.6v>= 14.6-rc-1, < 14.10.42023-05-09
CVE-2023-31126 [CRITICAL] CWE-86 CVE-2023-31126: `org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. `org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are
nvd
CVE-2023-36471P4MEDIUMCVSS 5.4v>= 14.6-rc-1, < 14.10.6v>= 15.0-rc-1, < 15.2-rc-12023-06-29
CVE-2023-36471 [MEDIUM] CWE-74 CVE-2023-36471: Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attack
nvd
CVE-2022-24898P4MEDIUMCVSS 4.9v>= 2.7, < 12.10.10v>= 13.0, < 13.4.4+1 more2022-04-28
CVE-2022-24898 [MEDIUM] CWE-611 CVE-2022-24898: org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Start org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The prob
nvd
Xwiki Xwiki-Commons vulnerabilities | cvebase