Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

xwiki — Vulnerabilities & Security Advisories 243

Browse all 243 CVE security advisories affecting xwiki. AI-powered Chinese analysis, POCs, and references for each vulnerability.

XWiki serves as an open-source enterprise wiki platform, enabling organizations to create, manage, and share collaborative documentation and knowledge bases. Its architecture, built on Java and supporting complex extensions, has historically exposed it to a wide array of security flaws, resulting in 243 recorded Common Vulnerabilities and Exposures. The most prevalent issues involve Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation vulnerabilities, often stemming from improper input validation or insecure default configurations. Notable incidents have included attackers exploiting unpatched RCE flaws to gain full system control, highlighting the risks associated with its extensive plugin ecosystem. While the project maintains an active security response team, the sheer volume of disclosed defects underscores the complexity of securing a feature-rich, Java-based application. Continuous patching and strict access controls remain essential for mitigating these persistent threats in production environments.

Top products by xwiki: xwiki-platform xwiki-commons xwiki-rendering XWiki Platform org.xwiki.platform:xwiki-platform-oldcore
CVE IDTitleCVSSSeverityPublished
CVE-2022-31166 XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups — xwiki-platformCWE-269 8.1 High2022-09-07
CVE-2022-31167 XWiki Platform Security Parent POM vulnerable to overwriting of security rules of a page with a final page having the same reference — xwiki-platformCWE-285 7.1 High2022-09-07
CVE-2022-29258 Cross-site Scripting in Filter Stream Converter Application in XWiki Platform — xwiki-platformCWE-80 7.4 High2022-05-31
CVE-2022-29251 Cross-site Scripting in the Flamingo theme manager — xwiki-platformCWE-80 7.4 High2022-05-25
CVE-2022-29252 Cross-site Scripting in XWiki Platform Wiki UI Main Wiki — xwiki-platformCWE-80 7.4 High2022-05-25
CVE-2022-29253 Path Traversal in XWiki Platform — xwiki-platformCWE-24 2.7 Low2022-05-25
CVE-2022-29161 Crypto script service uses hashing algorithm SHA1 with RSA for certificate signature in xwiki-platform — xwiki-platformCWE-327 5.4 Medium2022-05-05
CVE-2022-24897 Arbitrary filesystem write access from Velocity — xwiki-commonsCWE-22 7.5 High2022-05-02
CVE-2022-24898 Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml — xwiki-commonsCWE-611 4.9 Medium2022-04-28
CVE-2022-24820 Unauthenticated user can list hidden document from multiple velocity templates — xwiki-platformCWE-359 5.3 Medium2022-04-08
CVE-2022-24819 Unauthenticated user can retrieve the list of users through uorgsuggest.vm — xwiki-platformCWE-359 5.3 Medium2022-04-08
CVE-2022-24821 Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx — xwiki-platformCWE-648 6.8 Medium2022-04-08
CVE-2022-23622 Cross site scripting in registration template in xwiki-platform — xwiki-platformCWE-79 7.4 High2022-02-09
CVE-2022-23621 Missing authorization in xwiki-platform — xwiki-platformCWE-862 5.5 Medium2022-02-09
CVE-2022-23620 Path traversal in xwiki-platform-skin-skinx — xwiki-platformCWE-22 6.8 Medium2022-02-09
CVE-2022-23619 Information exposure in xwiki-platform — xwiki-platformCWE-200 5.3 Medium2022-02-09
CVE-2022-23618 Open Redirect in xwiki-platform — xwiki-platformCWE-601 4.7 Medium2022-02-09
CVE-2022-23617 Missing authorization in xwiki-platform — xwiki-platformCWE-862 6.5 Medium2022-02-09
CVE-2022-23616 Remote code execution in xwiki-platform — xwiki-platformCWE-74 8.8 High2022-02-09
CVE-2022-23615 Partial authorization bypass on document save in xwiki-platform — xwiki-platformCWE-863 5.4 Medium2022-02-09
CVE-2021-43841 XSS by SVG upload in xwiki-platform — xwiki-platformCWE-79 5.4 Medium2022-02-04
CVE-2021-32732 Cross-Site Request Forgery in xwiki-platform — xwiki-platformCWE-352 7.5 High2022-02-04
CVE-2021-32731 The reset password form reveal users email address — xwiki-platformCWE-200 5.3 Medium2021-07-01
CVE-2021-32730 No CSRF protection on the password change form — xwiki-platformCWE-352 5.7 Medium2021-07-01
CVE-2021-32729 A user without PR can reset user authentication failures information — xwiki-platformCWE-693 2.0 Low2021-07-01
CVE-2021-32620 Users registered with email verification can self re-activate their disabled accounts — xwiki-platformCWE-285 8.8 High2021-05-28
CVE-2021-32621 Script injection without script or programming rights through Gadget titles — xwiki-platformCWE-94 8.8 High2021-05-28
CVE-2021-29459 XSS Cross Site Scripting — xwiki-platformCWE-79 9.6 Critical2021-04-20
CVE-2021-21380 Rating Script Service expose XWiki to SQL injection — xwiki-platformCWE-89 7.7 High2021-03-23
CVE-2021-21379 It's possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macro — xwiki-platformCWE-281 7.7 High2021-03-12

This page lists every published CVE security advisory associated with xwiki. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.