xwiki — Vulnerabilities & Security Advisories 243

Browse all 243 CVE security advisories affecting xwiki. AI-powered Chinese analysis, POCs, and references for each vulnerability.

XWiki serves as an open-source enterprise wiki platform, enabling organizations to create, manage, and share collaborative documentation and knowledge bases. Its architecture, built on Java and supporting complex extensions, has historically exposed it to a wide array of security flaws, resulting in 243 recorded Common Vulnerabilities and Exposures. The most prevalent issues involve Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation vulnerabilities, often stemming from improper input validation or insecure default configurations. Notable incidents have included attackers exploiting unpatched RCE flaws to gain full system control, highlighting the risks associated with its extensive plugin ecosystem. While the project maintains an active security response team, the sheer volume of disclosed defects underscores the complexity of securing a feature-rich, Java-based application. Continuous patching and strict access controls remain essential for mitigating these persistent threats in production environments.

Top products by xwiki: xwiki-platform xwiki-commons xwiki-rendering XWiki Platform org.xwiki.platform:xwiki-platform-oldcore

CVE ID	Title	CVSS	Severity	Published
CVE-2025-46554	XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API — xwiki-platformCWE-862	5.3	Medium	2025-04-30
CVE-2025-46557	Any user with view access to the XWiki space can change the authenticator — xwiki-platformCWE-862	8.1^AI	High^AI	2025-04-30
CVE-2025-32973	org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right — xwiki-platformCWE-862	9.1	Critical	2025-04-30
CVE-2025-32974	org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type — xwiki-platformCWE-116	9.1	Critical	2025-04-30
CVE-2025-32972	The lesscss script service allows cache clearing without programming right — xwiki-platformCWE-285	2.7	Low	2025-04-30
CVE-2025-32971	XWiki Solr script service doesn't take dropped programming right into account — xwiki-platformCWE-863	3.8	Low	2025-04-30
CVE-2025-32970	org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability — xwiki-platformCWE-601	6.1	Medium	2025-04-30
CVE-2025-32969	org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API — xwiki-platformCWE-89	9.8	-	2025-04-23
CVE-2025-32968	org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API — xwiki-platformCWE-89	8.8	-	2025-04-23
CVE-2025-32783	XWiki allows unregistered users to see "public" messages from a closed wiki via notifications from a different wiki — xwiki-platformCWE-668	4.7	Medium	2025-04-16
CVE-2025-29926	The WikiManager REST API allows any user to create wikis — xwiki-platformCWE-285	8.8	-	2025-03-19
CVE-2025-29925	XWiki allows unregistered users to access private pages information through REST endpoint — xwiki-platformCWE-402	5.3	-	2025-03-19
CVE-2025-29924	XWiki uses the wrong wiki reference in AuthorizationManager — xwiki-platformCWE-269	6.5	-	2025-03-19
CVE-2025-24893	Remote code execution as guest via SolrSearchMacros request in xwiki — xwiki-platformCWE-95	9.8	Critical	2025-02-20
CVE-2025-23025	Privilege escalation (PR) through realtime WYSIWYG editing in XWiki — xwiki-platformCWE-862	9.1	Critical	2025-01-14
CVE-2024-55879	XWiki allows RCE from script right in configurable sections — xwiki-platformCWE-862	9.1	Critical	2024-12-12
CVE-2024-55877	XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList — xwiki-platformCWE-96	10.0	Critical	2024-12-12
CVE-2024-55876	XWiki's scheduler in subwiki allows scheduling operations for any main wiki user — xwiki-platformCWE-862	7.1	-	2024-12-12
CVE-2024-55663	XWiki Platform has an SQL injection in getdocuments.vm with sort parameter — xwiki-platformCWE-116	8.8	-	2024-12-12
CVE-2024-55662	XWiki allows remote code execution through the extension sheet — xwiki-platformCWE-96	10.0	Critical	2024-12-12
CVE-2024-46978	Missing checks for notification filter preferences editions in XWiki Platform — xwiki-platformCWE-648	6.5	Medium	2024-09-18
CVE-2024-46979	Data leak of notification filters of users in XWiki Platform — xwiki-platformCWE-200	5.3	Medium	2024-09-18
CVE-2024-45591	XWiki Platform document history including authors of any page exposed to unauthorized actors — xwiki-platformCWE-862	5.3	Medium	2024-09-10
CVE-2024-43400	XWiki Platform allows XSS through XClass name in string properties — xwiki-platformCWE-96	9.1	Critical	2024-08-19
CVE-2024-43401	In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them — xwiki-platformCWE-269	9.1	Critical	2024-08-19
CVE-2024-41947	XWiki Platform XSS through conflict resolution — xwiki-platformCWE-80	9.1	Critical	2024-07-31
CVE-2024-37901	XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet — xwiki-platformCWE-95	10.0	Critical	2024-07-31
CVE-2024-37900	XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader — xwiki-platformCWE-96	6.4	Medium	2024-07-31
CVE-2024-37898	XWiki Platform vulnerable to document deletion and overwrite from edit — xwiki-platformCWE-862	4.3	Medium	2024-07-31
CVE-2024-38369	XWiki programming rights may be inherited by inclusion — xwiki-platformCWE-863	10.0	Critical	2024-06-24

This page lists every published CVE security advisory associated with xwiki. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

xwiki — Vulnerabilities & Security Advisories 243