Description
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
Published: 2026-05-20
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a path‑traversal vulnerability in the XWiki Platform’s ssx and jsx endpoints, allowing an attacker to craft a URL containing a leading slash in the resources parameter and read arbitrary files outside the web application directory. This enables remote disclosure of sensitive configuration files such as xwiki.cfg, potentially revealing credentials and other confidential data, thereby compromising the confidentiality of the system.

Affected Systems

Affected products are the XWiki Platform, specifically the xwiki‑commons module. Vulnerable releases are any versions prior to 18.1.0‑rc‑1, 17.10.3, 17.4.9, or 16.10.17. These legacy releases may still be deployed in production environments.

Risk and Exploitability

The CVSS base score of 9.3 indicates a high‑severity issue, with no EPSS value and no listing in the CISA KEV catalog. The vulnerability can be exploited with low complexity by sending a crafted HTTP request to a publicly exposed ssx or jsx endpoint; the attack does not require authentication or privileged access, so the risk is significant for any publicly reachable instance of the affected XWiki Platform versions.

Generated by OpenCVE AI on May 20, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XWiki Platform to a patched release (18.1.0‑rc‑1, 17.10.3, 17.4.9, or 16.10.17) or later, following the vendor’s update guidance.
  • Restrict access to the ssx and jsx endpoints by using network firewalls, reverse proxy rules, or application‑level access controls, so that only trusted internal users can reach these services.
  • Configure logging to capture attempts to use the resources parameter with leading slashes and review these logs regularly for suspicious activity.

Generated by OpenCVE AI on May 20, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
Title XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash
Weaknesses CWE-23
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T18:39:32.313Z

Reserved: 2026-01-15T15:45:01.957Z

Link: CVE-2026-23734

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:36.027

Modified: 2026-05-20T20:16:36.027

Link: CVE-2026-23734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:30:39Z

Weaknesses