CVE-2023-26479— org.xwiki.platform:xwiki-platform-rendering-parser vulnerable to Improper Handling of Exceptional Conditions
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-26479
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
org.xwiki.platform:xwiki-platform-rendering-parser vulnerable to Improper Handling of Exceptional Conditions
Source: NVD (National Vulnerability Database)
Vulnerability Description
XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can insert well-formed content that is not handled well by the parser. As a consequence, some pages becomes unusable, including the user index (if the page containing the faulty content is a user page) and the page index. Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title of the document. This means that it is quite difficult to remove this content once inserted. This has been patched in XWiki 13.10.10, 14.4.6, and 14.9-rc-1. A temporary workaround to avoid Stack Overflow errors is to increase the memory allocated to the stack by using the `-Xss` JVM parameter (e.g., `-Xss32m`). This should allow the parser to pass and to fix the faulty content. The consequences for other aspects of the system (e.g., performance) are unknown, and this workaround should be only be used as a temporary solution. The workaround does not prevent the issue occurring again with other content. Consequently, it is strongly advised to upgrade to a version where the issue has been patched.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对异常条件的处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
XWiki Platform 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
XWiki Platform是法国XWiki公司的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞,该漏洞源于具有写入权限的用户可以插入格式正确但解析器无法正确处理的内容,攻击者利用该漏洞可以触发堆栈溢出。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| xwiki | xwiki-platform | >= 6.0, < 13.10.10 | - |
II. Public POCs for CVE-2023-26479
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-26479
请登录查看更多情报信息。
- https://jira.xwiki.org/browse/XWIKI-19838x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2023-26479
Same Patch Batch · xwiki · 2023-03-02 · 13 CVEs total
| CVE-2023-26055 | 10.0 CRITICAL | XWiki Commons may allow privilege escalation to programming rights via user's first name |
| CVE-2023-26471 | 10.0 CRITICAL | XWiki Platform users may execute anything with superadmin right through comments and async |
| CVE-2023-26472 | 10.0 CRITICAL | XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from |
| CVE-2023-26474 | 10.0 CRITICAL | XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are |
| CVE-2023-26475 | 10.0 CRITICAL | XWiki Platform vulnerable to Remote Code Execution in Annotations |
| CVE-2023-26477 | 10.0 CRITICAL | org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability |
| CVE-2023-26480 | 8.9 HIGH | XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Da |
| CVE-2023-26476 | 7.5 HIGH | Two XWiki Platform UIs Expose Sensitive Information to an Unauthorized Actor |
| CVE-2023-26478 | 6.6 MEDIUM | org.xwiki.platform:xwiki-platform-store-filesystem-oldcore has Exposed Dangerous Method or |
| CVE-2023-26473 | 6.5 MEDIUM | XWiki Platform allows unprivileged users to make arbitrary select queries using DatabaseLi |
| CVE-2023-26470 | 5.7 MEDIUM | In XWiki Platform, saving a document with a large object number leads to persistent OOM er |
| CVE-2023-26056 | 5.4 MEDIUM | XWiki Platform allows macro execution as any user without programming rights through the c |
IV. Related Vulnerabilities
Same product: xwiki-platform
- CVE-2026-40105
XWiki has Reflected Cross-Site Scripting (XSS) in its page h - CVE-2026-33229
XWiki Platform affected by remote code execution with script - CVE-2026-26000
XWiki Platform affected by click-jacking through CSS injecti - CVE-2026-24128
XWiki Affected by Reflected Cross-Site Scripting (XSS) in Er - CVE-2025-66473
XWiki's REST APIs don't enforce any limits, leading to unava
Same vendor: xwiki
- CVE-2026-40105
XWiki has Reflected Cross-Site Scripting (XSS) in its page h - CVE-2026-40104
XWiki's REST APIs can list all pages/spaces, leading to unav - CVE-2026-33229
XWiki Platform affected by remote code execution with script - CVE-2026-26000
XWiki Platform affected by click-jacking through CSS injecti - CVE-2026-24128
XWiki Affected by Reflected Cross-Site Scripting (XSS) in Er
Same weakness: CWE-755
- CVE-2026-23666
.NET Framework Denial of Service Vulnerability - CVE-2026-40074
SvelteKit's invalidated redirect in handle hook causes Denia - CVE-2026-28542
Huawei EMUI和Huawei HarmonyOS 安全漏洞 - CVE-2026-27195
Wasmtime is vulnerable to panic when dropping a `[Typed]Func - CVE-2026-27586
Caddy's mTLS client authentication silently fails open when
V. Comments for CVE-2023-26479
No comments yet