Xwiki Xwiki-Platform vulnerabilities
227 known vulnerabilities affecting xwiki/xwiki-platform.
Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3
Vulnerabilities
Page 12 of 12
CVE-2024-37898P4MEDIUMCVSS 4.3v>= 13.10.4, < 14.0-rc-1v>= 14.2, < 14.10.21+2 more2024-07-31
CVE-2024-37898 [MEDIUM] CWE-862 CVE-2024-37898: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous version of the page is moved into the recycle bin and can be restored fr
nvd
CVE-2024-38369P4MEDIUMCVSS 4.3v>= 1.5-milestone-2, < 15.0-rc-12024-06-24
CVE-2024-38369 [MEDIUM] CWE-863 CVE-2024-38369: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the au
nvd
CVE-2025-32783P4MEDIUMCVSS 4.3v>= 5.0, <= 16.7.12025-04-16
CVE-2025-32783 [MEDIUM] CWE-668 CVE-2025-32783: XWiki Platform is a generic wiki platform. A vulnerability in versions from 5.0 to 16.7.1 affects us
XWiki Platform is a generic wiki platform. A vulnerability in versions from 5.0 to 16.7.1 affects users with Message Stream enabled and a wiki configured as closed from selecting "Prevent unregistered users to view pages" in the Administrations Rights. The vulnerability is that any message sent in a subwiki to "everyone" is actually sent to the farm
nvd
CVE-2022-36095P4MEDIUMCVSS 4.3v>= 2.0-milestone-1, < 13.10.5v>= 14.0, < 14.32022-09-08
CVE-2022-36095 [MEDIUM] CWE-352 CVE-2022-36095: XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to per
XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the `documentTags.vm` template in one's filesystem, to apply th
nvd
CVE-2025-32971P4LOWCVSS 3.8v>= 4.5.1, < 15.10.13v>= 16.0.0-rc-1, < 16.4.4+1 more2025-04-30
CVE-2025-32971 [LOW] CWE-863 CVE-2025-32971: XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc
XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's scripting API normally requires programming rights to be
nvd
CVE-2025-49583P4LOWCVSS 3.5fixed in 15.10.16v>= 16.0.0-rc-1, < 16.4.7+1 more2025-06-13
CVE-2025-49583 [LOW] CWE-270 CVE-2025-49583: XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki
XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Vel
nvd
CVE-2022-29253P4LOWCVSS 2.7v>= 8.3-rc-1, < 13.10.32022-05-25
CVE-2022-29253 [LOW] CWE-22 CVE-2022-29253: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workarou
nvd
← Previous12 / 12