cbcvebase.

Xwiki Xwiki-Platform vulnerabilities

227 known vulnerabilities affecting xwiki/xwiki-platform.

Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3

Vulnerabilities

Page 10 of 12
CVE-2026-26000P4MEDIUMCVSS 6.1v>= 17.5.0, < 17.9.0v>= 17.0.0-rc-1, < 17.4.6+1 more2026-02-12
CVE-2026-26000 [MEDIUM] CWE-1021 CVE-2026-26000: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
nvd
CVE-2021-32729P4MEDIUMCVSS 5.4v> 11.6RC1, < 12.6.8v>= 12.10.0, < 12.10.42021-07-01
CVE-2021-32729 [MEDIUM] CWE-693 CVE-2021-32729: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user with Script rights and does not require Programming rights. An attacher
nvd
CVE-2021-43841P4MEDIUMCVSS 5.4fixed in 12.10.6v>= 13.0, < 13.3RC12022-02-04
CVE-2021-43841 [MEDIUM] CWE-79 CVE-2021-43841: XWiki is a generic wiki platform offering runtime services for applications built on top of it. When XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that the default configuration doesn't allow to display the
nvd
CVE-2022-23615P4MEDIUMCVSS 5.4v>= 1.0, < 13.02022-02-09
CVE-2022-23615 [MEDIUM] CWE-863 CVE-2022-23615: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are
nvd
CVE-2024-55876P4MEDIUMCVSS 5.4v>= 1.2-milestone-2, < 15.10.9v>= 16.0.0-rc-1, < 16.3.02024-12-12
CVE-2024-55876 [MEDIUM] CWE-862 CVE-2024-55876: XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any oper
nvd
CVE-2024-43400P4MEDIUMCVSS 5.4v>= 15.6-rc-1, < 15.10.2v>= 15.0-rc-1, < 15.5.5+2 more2024-08-19
CVE-2024-43400 [MEDIUM] CWE-96 CVE-2024-43400: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 a
nvd
CVE-2024-46979P4MEDIUMCVSS 5.3v>= 13.2-rc-1, < 14.10.21v>= 15.0.0, < 15.5.5+1 more2024-09-18
CVE-2024-46979 [MEDIUM] CWE-200 CVE-2024-46979: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to get access to notification filters of any user by using a URL such as `xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=`. This vulnerability impacts all vers
nvd
CVE-2025-32972P4MEDIUMCVSS 5.3v>= 6.1-milestone-1, < 15.10.12v>= 16.0.0-rc-1, < 16.4.3+1 more2025-04-30
CVE-2025-32972 [MEDIUM] CWE-285 CVE-2025-32972: XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having progra
nvd
CVE-2021-32730P4MEDIUMCVSS 5.7fixed in 12.10.5v>= 13.0, <= 13.12021-07-01
CVE-2021-32730 [MEDIUM] CWE-352 CVE-2021-32730: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an admin, will reset the password of any user in XWiki. The problem has been
nvd
CVE-2021-32731P4MEDIUMCVSS 5.3v>= 13.1RC1, <= 13.12021-07-01
CVE-2021-32731 [MEDIUM] CWE-200 CVE-2021-32731: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Between (and including) versions 13.1RC1 and 13.1, the reset password form reveals the email address of users just by giving their username. The problem has been patched on XWiki 13.2RC1. As a workaround, it is possible to manually modify the `re
nvd
CVE-2022-24820P4MEDIUMCVSS 5.3fixed in 8.4.5, < 10.11.8, < 11.3.1, < 13.6-rc-12022-04-08
CVE-2022-24820 [MEDIUM] CWE-359 CVE-2022-24820: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.
nvd
CVE-2023-34464P4MEDIUMCVSS 5.4vorg.xwiki.platform:xwiki-platform-web >= 2.2.1, < 14.4.8vorg.xwiki.platform:xwiki-platform-web-templates < 14.4.8+2 more2023-06-23
CVE-2023-34464 [MEDIUM] CWE-79 CVE-2023-34464: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates, any user who can edit a docum
nvd
CVE-2023-26056P4MEDIUMCVSS 5.4v>= 3.0-milestone-1, < 13.10.10v>= 14.0-rc-1, < 14.4.5+1 more2023-03-02
CVE-2023-26056 [MEDIUM] CWE-863 CVE-2023-26056: XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to exe XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue.
nvd
CVE-2022-29251P4MEDIUMCVSS 6.1v>= 6.2.4, < 12.10.11v>= 13.0, < 13.4.7+1 more2022-05-25
CVE-2022-29251 [MEDIUM] CWE-80 CVE-2022-29251: XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-bas XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.
nvd
CVE-2021-29459P4MEDIUMCVSS 6.1fixed in 12.6.3v>= 12.6.4, < 12.82021-04-20
CVE-2021-29459 [MEDIUM] CWE-79 CVE-2021-29459: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text fields. Registered users can fill in their personal information and (if they have edit rights) fill the values of stat
nvd
CVE-2022-29258P4MEDIUMCVSS 6.1v>= 5.4.4, <= 6.0-milestone-2v>= 6.0-milestone-2, < 12.10.11+2 more2022-05-31
CVE-2022-29258 [MEDIUM] CWE-80 CVE-2022-29258: XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stre XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stream to an output stream with settings for each stream. Starting with versions 6.0-milestone-2 and 5.4.4 and prior to versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3, XWiki Platform Filter UI contains a possible cross-site scripting vector in the `Filt
nvd
CVE-2022-23618P4MEDIUMCVSS 6.1v>= 13.0.0, < 13.3RC1fixed in 12.10.72022-02-09
CVE-2022-23618 [MEDIUM] CWE-601 CVE-2022-23618: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is no protection against URL redirection to untrusted sites, in particular some well known parameters (xredirect) can be used to perform url redirections. This problem has been patched in XWiki 12.10.7 and XWiki 13.3RC1
nvd
CVE-2023-26480P4MEDIUMCVSS 5.4v>= 12.10, < 13.10.10v>= 14.0, < 14.4.7+1 more2023-03-02
CVE-2023-26480 [MEDIUM] CWE-79 CVE-2023-26480: XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights c XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.
nvd
CVE-2023-29515P4MEDIUMCVSS 5.4fixed in 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29515 [MEDIUM] CWE-79 CVE-2023-29515: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can be exploited by creating an app in App Within Minutes.
nvd
CVE-2021-21379P4MEDIUMCVSS 5.4v>= 11.4.0, < 11.10.11v>= 12.0.0, < 12.6.3+1 more2021-03-12
CVE-2021-21379 [MEDIUM] CWE-281 CVE-2021-21379: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform, the `{{wikimacrocontent}}` executes the content with the rights of the wiki macro author instead of the caller of that wiki macro. This makes possible to inject scripts through it and they will be executed
nvd
Xwiki Xwiki-Platform vulnerabilities | cvebase