cbcvebase.

Xwiki Xwiki-Platform vulnerabilities

227 known vulnerabilities affecting xwiki/xwiki-platform.

Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3

Vulnerabilities

Page 4 of 12
CVE-2023-29514P2HIGHCVSS 8.8fixed in 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29514 [HIGH] CWE-74 CVE-2023-29514: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1. Users are advis
nvd
CVE-2025-48063P2HIGHCVSS 8.8v>= 16.10.0-rc-1, < 16.10.4v>= 17.0.0-rc-1, < 17.1.0-rc-12025-05-21
CVE-2025-48063 [HIGH] CWE-285 CVE-2025-48063: XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limi XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced ca
nvd
CVE-2023-35161P3MEDIUMCVSS 6.1PoCv>= 6.2-milestone-1, < 14.10.5v>= 15.0-rc-1, < 15.1-rc-12023-06-23
CVE-2023-35161 [MEDIUM] CWE-87 CVE-2023-35161: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?app
nvd
CVE-2023-35160P3MEDIUMCVSS 6.1PoCv>= 2.5-milestone-2, < 14.10.5v>= 15.0-rc-1, < 15.1-rc-12023-06-23
CVE-2023-35160 [MEDIUM] CWE-87 CVE-2023-35160: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/XWiki/Main xpage=resubmit&resubmit=javascri
nvd
CVE-2023-35156P3MEDIUMCVSS 6.1PoCv>= 6.0-rc-1, < 14.10.6v>= 15.0-rc-0, < 15.12023-06-23
CVE-2023-35156 [MEDIUM] CWE-87 CVE-2023-35156: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.
nvd
CVE-2023-29204P3MEDIUMCVSS 6.1PoCv>= 6.0-rc-1, < 13.10.10v>= 14.0-rc-1, < 14.4.4+1 more2023-04-15
CVE-2023-29204 [MEDIUM] CWE-601 CVE-2023-29204: XWiki Commons are technical libraries common to several other top level XWiki projects. It is possib XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`). It was also possible to bypass it when using URL such as `http:/mydomain.com`. The problem has be
nvd
CVE-2023-29506P3MEDIUMCVSS 6.1PoCv>= 13.10.8, < 13.10.11v>= 14.4.3, < 14.4.7+1 more2023-04-16
CVE-2023-29506 [MEDIUM] CWE-79 CVE-2023-29506: XWiki Commons are technical libraries common to several other top level XWiki projects. It was possi XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated endpoints. This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
nvd
CVE-2024-45591P3MEDIUMCVSS 5.3PoCv>= 1.8.0, < 15.10.9v>= 16.0.0-rc-1, < 16.3.0-rc-12024-09-10
CVE-2024-45591 [MEDIUM] CWE-359 CVE-2024-45591: XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This info
nvd
CVE-2026-40105P3MEDIUMCVSS 6.1PoCv>= 10.4-rc-1, < 16.10.16v>= 17.0.0-rc-1, < 17.4.8+1 more2026-04-15
CVE-2026-40105 [MEDIUM] CWE-80 CVE-2026-40105: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in t
nvd
CVE-2025-66472P3MEDIUMCVSS 6.1PoCvorg.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 6.2-milestone-1, < 16.10.10vorg.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 17.0.0-rc-1, < 17.4.2+2 more2025-12-10
CVE-2025-66472 [MEDIUM] CWE-79 CVE-2025-66472: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-
nvd
CVE-2024-31987P2HIGHCVSS 8.8v>= 6.4-milestone-1, < 14.10.19v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31987 [HIGH] CWE-862 CVE-2024-31987: XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. This has been patched in XWiki 14.10.19,
nvd
CVE-2024-55663P3CRITICALCVSS 9.8v>= 6.3-milestone-2, < 13.10.5v>= 14.0-rc-1, < 14.3-rc-12024-12-12
CVE-2024-55663 [CRITICAL] CWE-116 CVE-2024-55663: XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be abl
nvd
CVE-2022-23616P3HIGHCVSS 8.8v> 3.1M1, < 13.1RC12022-02-09
CVE-2022-23616 [HIGH] CWE-74 CVE-2022-23616: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for an unprivileged user to perform a remote code execution by injecting a groovy script in her own profile and by calling the Reset password feature since the feature is performing a save of the user profile with
nvd
CVE-2023-29519P3HIGHCVSS 8.8fixed in 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29519 [HIGH] CWE-74 CVE-2023-29519: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comme
nvd
CVE-2024-31983P3HIGHCVSS 8.8v>= 4.3-milestone-2, < 14.10.20v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31983 [HIGH] CWE-862 CVE-2024-31983: XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations on the wiki). Starting in version 4.3-milestone-2 and prior to versions 4.10.20
nvd
CVE-2024-31981P3HIGHCVSS 8.8v>= 3.0.1, < 14.10.20v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31981 [HIGH] CWE-862 CVE-2024-31981: XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, remote code execution is possible via PDF export templates. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1. If PDF templates are not typically used on the instance, an administrator can create the doc
nvd
CVE-2023-37913P3HIGHCVSS 8.8v>= 3.5-milestone-1, < 14.10.8v>= 15.0-rc-1, < 15.3-rc-12023-10-25
CVE-2023-37913 [HIGH] CWE-22 CVE-2023-37913: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment's content to an attacker-controlled location on the server as long as t
nvd
CVE-2025-32968P3HIGHCVSS 8.8v>= 1.6-milestone-1, < 15.10.16v>= 16.0.0-rc-1, < 16.4.6+1 more2025-04-23
CVE-2025-32968 [HIGH] CWE-89 CVE-2025-32968: XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4 XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may
nvd
CVE-2023-35155P3MEDIUMCVSS 6.1PoCv>= 2.6-rc-2, < 14.4.8v>= 14.5, < 14.10.42023-06-23
CVE-2023-35155 [MEDIUM] CWE-79 CVE-2023-35155: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser: `/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%
nvd
CVE-2023-40176P3MEDIUMCVSS 5.4v>= 4.1-milestone-2, < 14.10.52023-08-23
CVE-2023-40176 [MEDIUM] CWE-79 CVE-2023-40176: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can exploit a stored XSS through their user profile by setting the payload as the value of the time zone user preference. Even though the time zone is selected from a drop down (no free text value) it can still be set from Java
nvd
Xwiki Xwiki-Platform vulnerabilities | cvebase