Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

xwiki — Vulnerabilities & Security Advisories 245

Browse all 245 CVE security advisories affecting xwiki. AI-powered Chinese analysis, POCs, and references for each vulnerability.

XWiki serves as an open-source enterprise wiki platform, enabling organizations to create, manage, and share collaborative documentation and knowledge bases. Its architecture, built on Java and supporting complex extensions, has historically exposed it to a wide array of security flaws, resulting in 243 recorded Common Vulnerabilities and Exposures. The most prevalent issues involve Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation vulnerabilities, often stemming from improper input validation or insecure default configurations. Notable incidents have included attackers exploiting unpatched RCE flaws to gain full system control, highlighting the risks associated with its extensive plugin ecosystem. While the project maintains an active security response team, the sheer volume of disclosed defects underscores the complexity of securing a feature-rich, Java-based application. Continuous patching and strict access controls remain essential for mitigating these persistent threats in production environments.

Top products by xwiki: xwiki-platform xwiki-commons xwiki-rendering XWiki Platform org.xwiki.platform:xwiki-platform-oldcore
CVE IDTitleCVSSSeverityPublished
CVE-2023-46732 Reflected Cross-site scripting through revision parameter in content menu in XWiki Platform — xwiki-platformCWE-79 9.7 Critical2023-11-06
CVE-2023-45137 XWiki Platform XSS with edit right in the create document form for existing pages — xwiki-platformCWE-79 9.1 Critical2023-10-25
CVE-2023-45136 XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled — xwiki-platformCWE-79 9.7 Critical2023-10-25
CVE-2023-45135 XWiki users can be tricked to execute scripts as the create page action doesn't display the page's title — xwiki-platformCWE-116 9.1 Critical2023-10-25
CVE-2023-45134 XWiki Platform XSS vulnerability from account in the create page form via template provider — xwiki-platformCWE-79 9.1 Critical2023-10-25
CVE-2023-37913 org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter — xwiki-platformCWE-23 10.0 Critical2023-10-25
CVE-2023-37912 XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro — xwiki-renderingCWE-270 10.0 Critical2023-10-25
CVE-2023-37911 org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents — xwiki-platformCWE-668 6.5 Medium2023-10-25
CVE-2023-37910 org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move — xwiki-platformCWE-862 8.1 High2023-10-25
CVE-2023-37909 Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet — xwiki-platformCWE-95 10.0 Critical2023-10-25
CVE-2023-37908 org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability — xwiki-renderingCWE-83 9.1 Critical2023-10-25
CVE-2023-41046 Velocity execution without script rights in Xwiki platform — xwiki-platformCWE-862 6.3 Medium2023-09-01
CVE-2023-40573 XWiki Platform's Groovy jobs check the wrong author, allowing remote code execution — xwiki-platformCWE-284 9.1 Critical2023-08-24
CVE-2023-40572 XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action — xwiki-platformCWE-352 9.1 Critical2023-08-24
CVE-2023-40177 XWiki Platform privilege escalation (PR) from account through AWM content fields — xwiki-platformCWE-95 9.9 Critical2023-08-23
CVE-2023-40176 SXSS in the user profile via the timezone displayer — xwiki-platformCWE-79 9.1 Critical2023-08-23
CVE-2023-37914 Privilege escalation (PR)/RCE from account through Invitation subject/message — xwiki-platformCWE-94 9.9 Critical2023-08-17
CVE-2023-38509 XWiki Platform's obfuscated email addresses should not be sorted — xwiki-platformCWE-402 4.3 Medium2023-07-27
CVE-2023-37462 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-skin-ui — xwiki-platformCWE-74 10.0 Critical2023-07-14
CVE-2023-37277 XWiki Platform vulnerable to cross-site request forgery (CSRF) via the REST API — xwiki-platformCWE-352 9.7 Critical2023-07-10
CVE-2023-36477 Persistent Cross-site Scripting (XSS) through CKEditor Configuration pages in XWiki Platform — xwiki-platformCWE-79 9.1 Critical2023-06-30
CVE-2023-36468 Upgrading doesn't prevent exploiting vulnerable XWiki documents — xwiki-platformCWE-459 10.0 Critical2023-06-29
CVE-2023-36469 Code injection through NotificationRSSService in XWiki Platform — xwiki-platformCWE-74 10.0 Critical2023-06-29
CVE-2023-36470 Code injection in icon themes of XWiki Platform — xwiki-platformCWE-74 10.0 Critical2023-06-29
CVE-2023-36471 HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml — xwiki-commonsCWE-74 9.1 Critical2023-06-29
CVE-2023-35162 XPlatform Wiki vulnerable to cross-site scripting via xcontinue parameter in preview actions template — xwiki-platformCWE-79 9.7 Critical2023-06-23
CVE-2023-35161 XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in DeleteApplication page — xwiki-platformCWE-87 9.7 Critical2023-06-23
CVE-2023-35160 XWiki Platform vulnerable to reflected cross-site scripting via back and xcontinue parameters in resubmit template — xwiki-platformCWE-87 9.7 Critical2023-06-23
CVE-2023-35159 XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in deletespace template — xwiki-platformCWE-87 9.7 Critical2023-06-23
CVE-2023-35158 XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in restore template — xwiki-platformCWE-87 9.7 Critical2023-06-23

This page lists every published CVE security advisory associated with xwiki. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.