cbcvebase.

Xwiki Xwiki-Rendering vulnerabilities

7 known vulnerabilities affecting xwiki/xwiki-rendering.

Total CVEs
7
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2025-66474P2HIGHCVSS 8.8fixed in 16.10.10≥ 17.0.0, < 17.4.3+3 more2025-12-10
CVE-2025-66474 [HIGH] CWE-95 CVE-2025-66474: XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki sy XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can e
nvd
CVE-2026-24128P3MEDIUMCVSS 6.1PoCv17.5.02026-01-24
CVE-2026-24128 [MEDIUM] CWE-79 CVE-2026-24128: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions wit
nvd
CVE-2023-37912P2HIGHCVSS 8.8fixed in 14.10.6v15.0+1 more2023-10-25
CVE-2023-37912 [HIGH] CWE-270 CVE-2023-37912: XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into ano XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of `org.xwiki.platform:xwiki-core-rendering-macro-footnotes` and `org.xwiki.platform:xwiki-rendering-macro-footnotes` and prior to version 15.1-rc-1 of `org.xwiki.platform:xwiki-rendering-macro-footnotes`, the footn
nvd
CVE-2025-53836P3HIGHCVSS 8.8v>= 4.2-milestone-1, < 13.10.11v>= 14.0, < 14.4.7+1 more2025-07-15
CVE-2025-53836 [HIGH] CWE-94 CVE-2025-53836: XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki sy XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when execut
nvd
CVE-2023-37908P3CRITICALCVSS 9.6≥ 14.6, < 14.10.4v>= 14.6-rc-1, < 14.10.42023-10-25
CVE-2023-37908 [CRITICAL] CWE-83 CVE-2023-37908: XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into ano XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute names. This can be exploited, e.g., via the link syntax
nvd
CVE-2025-53835P3CRITICALCVSS 9.0v>= 5.4.5, < 14.102025-07-14
CVE-2025-53835 [CRITICAL] CWE-79 CVE-2025-53835: XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki sy XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML co
nvd
CVE-2023-32070P4MEDIUMCVSS 6.1fixed in 14.6-rc-1≤ 3.0-milestone-22023-05-10
CVE-2023-32070 [MEDIUM] CWE-83 CVE-2023-32070: XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check f XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a
nvd
Xwiki Xwiki-Rendering vulnerabilities | cvebase