Browse all 243 CVE security advisories affecting xwiki. AI-powered Chinese analysis, POCs, and references for each vulnerability.
XWiki serves as an open-source enterprise wiki platform, enabling organizations to create, manage, and share collaborative documentation and knowledge bases. Its architecture, built on Java and supporting complex extensions, has historically exposed it to a wide array of security flaws, resulting in 243 recorded Common Vulnerabilities and Exposures. The most prevalent issues involve Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation vulnerabilities, often stemming from improper input validation or insecure default configurations. Notable incidents have included attackers exploiting unpatched RCE flaws to gain full system control, highlighting the risks associated with its extensive plugin ecosystem. While the project maintains an active security response team, the sheer volume of disclosed defects underscores the complexity of securing a feature-rich, Java-based application. Continuous patching and strict access controls remain essential for mitigating these persistent threats in production environments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-66474 | XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection — xwiki-renderingCWE-95 | 8.8AI | HighAI | 2025-12-10 |
| CVE-2025-53836 | XWiki Rendering is vulnerable to RCE attacks when processing nested macros — xwiki-renderingCWE-863 | 10.0 | Critical | 2025-07-14 |
| CVE-2025-53835 | XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax — xwiki-renderingCWE-79 | 9.1 | Critical | 2025-07-14 |
| CVE-2023-37912 | XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro — xwiki-renderingCWE-270 | 10.0 | Critical | 2023-10-25 |
| CVE-2023-37908 | org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability — xwiki-renderingCWE-83 | 9.1 | Critical | 2023-10-25 |
| CVE-2023-32070 | Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers — xwiki-renderingCWE-83 | 9.1 | Critical | 2023-05-10 |
This page lists every published CVE security advisory associated with xwiki. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.