Xwiki Xwiki-Platform vulnerabilities
227 known vulnerabilities affecting xwiki/xwiki-platform.
Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3
Vulnerabilities
Page 3 of 12
CVE-2026-33229P2CRITICALCVSS 9.8v>= 17.0.0-rc-1, < 17.4.8v>= 17.5.0-rc-1, < 17.10.12026-04-08
CVE-2026-33229 [CRITICAL] CWE-862 CVE-2026-33229: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance
nvd
CVE-2023-29523P2HIGHCVSS 8.8v>= 3.3-milestone-1, < 13.10.11v>= 14.0-rc-1, < 14.4.8+1 more2023-04-19
CVE-2023-29523 [HIGH] CWE-74 CVE-2023-29523: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The same vulnerability can also b
nvd
CVE-2023-27479P2CRITICALCVSS 9.9v>= 6.3-milestone-2, < 13.10.11v>= 14.0.0, < 14.4.7+1 more2023-03-07
CVE-2023-27479 [CRITICAL] CWE-74 CVE-2023-27479: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of UIX parameters. A proof of concept exploit is
nvd
CVE-2023-29522P2HIGHCVSS 8.8fixed in 14.4.8v>= 14.5.0, < 14.10.32023-04-19
CVE-2023-29522 [HIGH] CWE-74 CVE-2023-29522: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with
nvd
CVE-2023-37909P2HIGHCVSS 8.8v>= 5.1-rc-1, < 14.10.8v>= 15.0-rc-1, < 15.3-rc-12023-10-25
CVE-2023-37909 [HIGH] CWE-95 CVE-2023-37909: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.1-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted rea
nvd
CVE-2024-55877P2HIGHCVSS 8.8v>= 9.7-rc-1, < 15.10.11v>= 16.0.0-rc-1, < 16.4.1+1 more2024-12-12
CVE-2024-55877 [HIGH] CWE-96 CVE-2024-55877: XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.
XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This
nvd
CVE-2025-32430P3MEDIUMCVSS 6.1PoCv>= 4.2-milestone-3, < 16.4.8v>= 16.5.0-rc-1, < 16.10.6+1 more2025-08-06
CVE-2025-32430 [MEDIUM] CWE-79 CVE-2025-32430: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's s
nvd
CVE-2023-36470P2HIGHCVSS 8.8v>= 6.2-milestone-1, < 14.10.62023-06-29
CVE-2023-36470 [HIGH] CWE-74 CVE-2023-36470: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By either creating a new or editing an existing document with an icon set, an attacker can inject XWiki syntax and Velocity code that is executed with programming rights and thus allows remote code execution. There are different attack vectors, the
nvd
CVE-2023-29510P2HIGHCVSS 8.8fixed in 14.10.22023-04-19
CVE-2023-29510 [HIGH] CWE-74 CVE-2023-29510: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code executi
nvd
CVE-2023-37914P2HIGHCVSS 8.8v>= 2.5-m1, < 14.4.8v>= 14.5.0, < 14.10.6+1 more2023-08-17
CVE-2023-37914 [HIGH] CWE-94 CVE-2023-37914: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view `Invitation.WebHome` can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This vulnerability has been patched
nvd
CVE-2024-55879P2HIGHCVSS 8.8v>= 2.3, < 15.10.9v>= 16.0.0-rc-1, < 16.3.02024-12-12
CVE-2024-55879 [HIGH] CWE-862 CVE-2024-55879: XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16
XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been p
nvd
CVE-2025-54385P2CRITICALCVSS 9.8fixed in 16.10.6v>= 17.0.0-rc1, < 17.3.0-rc-12025-07-26
CVE-2025-54385 [CRITICAL] CWE-20 CVE-2025-54385: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate
nvd
CVE-2026-33137P2CRITICALCVSS 9.3v>= 15.10.6, < 16.10.17v>= 17.0.0-rc-1, < 17.4.9+2 more2026-05-20
CVE-2026-33137 [CRITICAL] CWE-862 CVE-2026-33137: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization ch
nvd
CVE-2024-37901P2HIGHCVSS 8.8v>= 15.6-rc-1, < 15.10.2v>= 15.0-rc-1, < 15.5.5+1 more2024-07-31
CVE-2024-37901 [HIGH] CWE-95 CVE-2024-37901: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, i
nvd
CVE-2023-35162P3MEDIUMCVSS 6.1PoCv>= 6.1-rc-1, < 14.10.5v>= 15.0-rc-1, < 15.1-rc-12023-06-23
CVE-2023-35162 [MEDIUM] CWE-79 CVE-2023-35162: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/get/FlamingoThemes/Cerulean xpage=xpart&v
nvd
CVE-2023-35159P3MEDIUMCVSS 6.1PoCv>= 3.4-milestone-1, < 14.10.5v>= 15.0-rc-1, < 15.1-rc-12023-06-23
CVE-2023-35159 [MEDIUM] CWE-87 CVE-2023-35159: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:ale
nvd
CVE-2023-35158P3MEDIUMCVSS 6.1PoCv>= 9.4-rc-1, < 14.10.5v>= 15.0-rc-1, < 15.1-rc-12023-06-23
CVE-2023-35158 [MEDIUM] CWE-87 CVE-2023-35158: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xre
nvd
CVE-2022-24819P3MEDIUMCVSS 5.3PoCfixed in 4.32022-04-08
CVE-2022-24819 [MEDIUM] CWE-359 CVE-2022-24819: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.
nvd
CVE-2026-24128P3MEDIUMCVSS 6.1PoCv>= 7.0-milestone-2, < 16.10.12v>= 17.0.0-rc-1, < 17.4.5+1 more2026-01-24
CVE-2026-24128 [MEDIUM] CWE-79 CVE-2026-24128: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions wit
nvd
CVE-2025-46557P3CRITICALCVSS 9.8v>= 15.3-rc-1, < 15.10.14v>= 16.0.0-rc-1, < 16.4.6+1 more2025-04-30
CVE-2025-46557 [CRITICAL] CWE-862 CVE-2025-46557: XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.
XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.0-rc-1 to before 16.4.6, and from 16.5.0-rc-1 to before 16.10.0-rc-1, a user who can access pages located in the XWiki space (by default, anyone) can access the page XWiki.Authentication.Administration and (unless an authenticator is set in xwiki.cf
nvd