Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

xwiki — Vulnerabilities & Security Advisories 243

Browse all 243 CVE security advisories affecting xwiki. AI-powered Chinese analysis, POCs, and references for each vulnerability.

XWiki serves as an open-source enterprise wiki platform, enabling organizations to create, manage, and share collaborative documentation and knowledge bases. Its architecture, built on Java and supporting complex extensions, has historically exposed it to a wide array of security flaws, resulting in 243 recorded Common Vulnerabilities and Exposures. The most prevalent issues involve Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation vulnerabilities, often stemming from improper input validation or insecure default configurations. Notable incidents have included attackers exploiting unpatched RCE flaws to gain full system control, highlighting the risks associated with its extensive plugin ecosystem. While the project maintains an active security response team, the sheer volume of disclosed defects underscores the complexity of securing a feature-rich, Java-based application. Continuous patching and strict access controls remain essential for mitigating these persistent threats in production environments.

Top products by xwiki: xwiki-platform xwiki-commons xwiki-rendering XWiki Platform org.xwiki.platform:xwiki-platform-oldcore
CVE IDTitleCVSSSeverityPublished
CVE-2026-40105 XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality — xwiki-platformCWE-80 8.8 -2026-04-15
CVE-2026-40104 XWiki's REST APIs can list all pages/spaces, leading to unavailability — org.xwiki.platform:xwiki-platform-oldcoreCWE-770 7.5 -2026-04-15
CVE-2026-33229 XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API — xwiki-platformCWE-862 9.9AICriticalAI2026-04-08
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments — xwiki-platformCWE-1021 4.1AIMediumAI2026-02-12
CVE-2026-24128 XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages — xwiki-platformCWE-79 9.6 -2026-01-23
CVE-2025-66474 XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection — xwiki-renderingCWE-95 8.8AIHighAI2025-12-10
CVE-2025-66473 XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis — xwiki-platformCWE-770 7.5AIHighAI2025-12-10
CVE-2025-66472 XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication — xwiki-platformCWE-79 6.1AIMediumAI2025-12-10
CVE-2025-55749 The XWiki Jetty package (XJetty) allows accessing any application file through URL — xwiki-platformCWE-284 7.5AIHighAI2025-12-01
CVE-2025-52472 XWiki Platform vulnerable to HQL injection via wiki and space search REST API — xwiki-platformCWE-89 7.1AIHighAI2025-10-06
CVE-2025-55748 XWiki Platform's configuration files can be accessed through jsx and sx endpoints — xwiki-platformCWE-23 7.5AIHighAI2025-09-03
CVE-2025-55747 XWiki Platform's configuration files can be accessed through the webjars API — xwiki-platformCWE-23 7.5AIHighAI2025-09-03
CVE-2025-58049 XWiki PDF export jobs store sensitive cookies unencrypted in job statuses — xwiki-platformCWE-212 5.8 Medium2025-08-28
CVE-2025-54125 XWiki Platform: Password and email exposure in xml.vm fields — xwiki-platformCWE-359 8.1AIHighAI2025-08-05
CVE-2025-54124 XWiki Platform: Any user with editing rights can access password properties through Database List Properties — xwiki-platformCWE-359 6.5AIMediumAI2025-08-05
CVE-2025-32430 XWiki Platform contains Reflected XSS vulnerability in two templates — xwiki-platformCWE-79 6.1AIMediumAI2025-08-05
CVE-2025-54385 XWiki Platform's searchDocuments API allows for SQL injection — xwiki-platformCWE-20 8.8 -2025-07-26
CVE-2025-32429 XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter — xwiki-platformCWE-89 9.8 -2025-07-24
CVE-2025-53836 XWiki Rendering is vulnerable to RCE attacks when processing nested macros — xwiki-renderingCWE-863 10.0 Critical2025-07-14
CVE-2025-53835 XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax — xwiki-renderingCWE-79 9.1 Critical2025-07-14
CVE-2025-49587 XWiki does not require right warnings for notification displayer objects — xwiki-platformCWE-357 5.4AIMediumAI2025-06-13
CVE-2025-49586 XWiki allows remote code execution through preview of XClass changes in AWM editor — xwiki-platformCWE-863 8.8AIHighAI2025-06-13
CVE-2025-49585 XWiki does not require right warnings for XClass definitions — xwiki-platformCWE-357 6.3AIMediumAI2025-06-13
CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API — xwiki-platformCWE-201 5.3AIMediumAI2025-06-13
CVE-2025-49583 XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right — xwiki-platformCWE-270 4.6AIMediumAI2025-06-13
CVE-2025-49582 XWiki's required right warnings for macros are incomplete — xwiki-platformCWE-357 5.4AIMediumAI2025-06-13
CVE-2025-49581 XWiki allows remote code execution through default value of wiki macro wiki-type parameters — xwiki-platformCWE-94 8.8AIHighAI2025-06-13
CVE-2025-49580 XWiki allows privilege escalation through link refactoring — xwiki-platformCWE-266 9.3AICriticalAI2025-06-13
CVE-2024-56158 XWiki allows SQL injection in query endpoint of REST API with Oracle — xwiki-platformCWE-89 9.8AICriticalAI2025-06-12
CVE-2025-48063 XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right — xwiki-platformCWE-285 7.1AIHighAI2025-05-21

This page lists every published CVE security advisory associated with xwiki. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.