cbcvebase.

Xwiki Xwiki-Platform vulnerabilities

227 known vulnerabilities affecting xwiki/xwiki-platform.

Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3

Vulnerabilities

Page 1 of 12
CVE-2025-24893P1CRITICALCVSS 9.8KEVPoCv>= 5.3-milestone-2, < 15.10.11v>= 16.0.0-rc-1, < 16.4.12025-02-20
CVE-2025-24893 [CRITICAL] CWE-95 CVE-2025-24893: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `/
nvd
CVE-2024-21650P1CRITICALCVSS 9.8ExploitedPoCv>= 2.2, < 14.10.17v>= 15.0-rc-1, < 15.5.3+1 more2024-01-08
CVE-2024-21650 [CRITICAL] CWE-95 CVE-2024-21650: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user regis
nvd
CVE-2025-32429P1CRITICALCVSS 9.8ExploitedPoCv>= 9.4-rc-1, < 16.10.6v>= 17.0.0-rc-1, < 17.3.0-rc-12025-07-24
CVE-2025-32429 [CRITICAL] CWE-89 CVE-2025-32429: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 1
nvd
CVE-2025-32969P1CRITICALCVSS 9.8ExploitedPoCv>= 1.8, < 15.10.16v>= 16.0.0-rc-1, < 16.4.6+1 more2025-04-23
CVE-2025-32969 [CRITICAL] CWE-89 CVE-2025-32969: XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 1 XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing p
nvd
CVE-2024-31982P1CRITICALCVSS 9.8ExploitedPoCv>= 2.4-milestone-1, < 14.10.20v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31982 [CRITICAL] CWE-95 CVE-2024-31982: XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessibl
nvd
CVE-2025-55747P1CRITICALCVSS 9.1ExploitedPoCv>= 6.1-milestone-2, < 16.10.72025-09-03
CVE-2025-55747 [CRITICAL] CWE-23 CVE-2025-55747: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
nvd
CVE-2025-52472P1CRITICALCVSS 9.3ExploitedPoCv>= 4.3-milestone-1, < 16.10.9v>= 17.0.0-rc-1, < 17.4.22025-10-06
CVE-2025-52472 [CRITICAL] CWE-89 CVE-2025-52472: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The specified value is added twice in the query, though, once in the field
nvd
CVE-2025-46554P1MEDIUMCVSS 5.3ExploitedPoCv>= 1.8.1, < 14.10.22v>= 15.0-rc-1, < 15.10.12+2 more2025-04-30
CVE-2025-46554 [MEDIUM] CWE-862 CVE-2025-46554: XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on cur
nvd
CVE-2025-55748P1HIGHCVSS 7.5ExploitedPoCv>= 4.2-milestone-2, < 16.10.72025-09-03
CVE-2025-55748 [HIGH] CWE-23 CVE-2025-55748: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-I
nvd
CVE-2025-29925P1MEDIUMCVSS 5.3ExploitedPoCv>= 1.9M1, < 15.10.14v>= 16.0.0-rc-1, < 16.4.6+1 more2025-03-19
CVE-2025-29925 [MEDIUM] CWE-402 CVE-2025-29925: XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pa XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would
nvd
CVE-2025-55749P1HIGHCVSS 7.5ExploitedPoCv>= 16.7.0, < 16.10.11v>= 17.0.0-rc1, < 17.4.4+1 more2025-12-01
CVE-2025-55749 [HIGH] CWE-284 CVE-2025-55749: XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an in XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
nvd
CVE-2023-46732P1MEDIUMCVSS 6.1ExploitedPoCv>= 9.7-rc-1, < 14.10.14v>= 15.0-rc-1, < 15.5.12023-11-06
CVE-2023-46732 [MEDIUM] CWE-79 CVE-2023-46732: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to reflected cross-site scripting (RXSS) via the `rev` parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the att
nvd
CVE-2025-32970P1MEDIUMCVSS 6.1ExploitedPoCv>= 13.5-rc-1, < 15.10.13v>= 16.0.0-rc-1, < 16.4.4+1 more2025-04-30
CVE-2025-32970 [MEDIUM] CWE-601 CVE-2025-32970: XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0. XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in vers
nvd
CVE-2025-54125P2MEDIUMCVSS 6.5ExploitedPoCv>= 1.1, < 16.4.7v>= 16.5.0-rc-1, < 16.10.5+1 more2025-08-06
CVE-2025-54125 [MEDIUM] CWE-359 CVE-2025-54125: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by
nvd
CVE-2023-37462P1HIGHCVSS 8.8PoCv>= 7.0-rc-1, < 14.4.8v>= 14.5, < 14.10.42023-07-14
CVE-2023-37462 [HIGH] CWE-74 CVE-2023-37462: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macro
nvd
CVE-2023-50719P2HIGHCVSS 7.5PoCv>= 7.2-milestone-2, < 14.10.15v>= 15.0-rc-1, < 15.5.2+1 more2023-12-15
CVE-2023-50719 [HIGH] CWE-200 CVE-2023-50719: XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.1 XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations u
nvd
CVE-2023-48241P2HIGHCVSS 7.5PoCv>= 6.3-milestone-2, < 14.10.15v>= 15.0-rc-1, < 15.5.12023-11-20
CVE-2023-48241 [HIGH] CWE-285 CVE-2023-48241: XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 14.10.15, 15.5.1, and 15.6RC1, the Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is publ
nvd
CVE-2024-31984P1HIGHCVSS 8.8v>= 7.2-rc-1, < 14.10.20v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31984 [HIGH] CWE-95 CVE-2024-31984: XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.2 XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execut
nvd
CVE-2023-46731P2CRITICALCVSS 9.8vorg.xwiki.platform:xwiki-platform-administration : < 14.10.14vorg.xwiki.platform:xwiki-platform-administration-ui: < 14.10.14+1 more2023-11-06
CVE-2023-46731 [CRITICAL] CWE-94 CVE-2023-46731: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document `XWiki.AdminSheet` (by default, everyone including unauthenticated use
nvd
CVE-2024-31997P2HIGHCVSS 8.8fixed in 14.10.19v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31997 [HIGH] CWE-862 CVE-2024-31997: XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parame XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's own profile can create UI extensions. This allows remote code execution and thereby impacts the
nvd
1 / 12Next →
Xwiki Xwiki-Platform vulnerabilities | cvebase