Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.
Published: 2026-01-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via XSS
Action: Immediate Patch
AI Analysis

Impact

XWiki Platform suffers from a reflected Cross‑Site Scripting flaw that is triggered by specially crafted URLs in error messages. When an authenticated user, particularly one with administrative or programming rights, opens such a URL, malicious script runs in the victim’s browser under the victim’s session. This script can in turn invoke any actions that the victim is authorized to perform, effectively giving the attacker the same level of access to the application. The weakness is identified as CWE‑79 and CWE‑80, indicating that malicious input is accepted and reflected without adequate sanitization.

Affected Systems

Vulnerable releases include XWiki Platform versions 7.0‑milestone‑2 through 16.10.11, 17.0.0‑rc‑1 through 17.4.4, and 17.5.0‑rc‑1 through 17.7.0. The affected product is the XWiki Platform (commonly referred to simply as XWiki).

Risk and Exploitability

The CVSS base score of 6.5 places the vulnerability in the medium severity range. Exploitation probability as measured by EPSS is under 1 %, indicating that widespread attacks are unlikely but still possible. The flaw is not currently listed in the CISA Known Exploited Vulnerabilities catalog. An attacker could exploit this vector by constructing a malicious link and convincing a user with sufficient privileges to click it, enabling them to execute actions with that user’s permissions.

Generated by OpenCVE AI on April 18, 2026 at 03:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XWiki Platform to any of the patched releases 16.10.12, 17.4.5, or 17.8.0‑rc‑1
  • If upgrade is not immediately feasible, apply the manual workaround by editing the file templates/logging_macros.vm to replace the single vulnerable line; a restart is not required
  • Disable or tightly restrict detailed error messages that might expose stack traces or internal data to reduce the efficacy of reflected XSS attacks
  • Monitor application logs for anomalous script injection attempts or unauthorized actions performed by users

Generated by OpenCVE AI on April 18, 2026 at 03:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wvqx-m5px-6cmp XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages
History

Thu, 12 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki xwiki
Xwiki xwiki-rendering
CPEs cpe:2.3:a:xwiki:xwiki-rendering:17.5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:17.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:7.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:7.0:rc1:*:*:*:*:*:*
Vendors & Products Xwiki xwiki
Xwiki xwiki-rendering
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki
Xwiki xwiki-platform
Vendors & Products Xwiki
Xwiki xwiki-platform

Fri, 23 Jan 2026 23:30:00 +0000

Type Values Removed Values Added
Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.
Title XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages
Weaknesses CWE-79
CWE-80
References
Metrics cvssV4_0

{'score': 6.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Xwiki Xwiki Xwiki-platform Xwiki-rendering
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T17:12:52.761Z

Reserved: 2026-01-21T18:38:22.473Z

Link: CVE-2026-24128

cve-icon Vulnrichment

Updated: 2026-01-26T17:12:45.379Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T00:15:49.007

Modified: 2026-02-12T16:47:29.200

Link: CVE-2026-24128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses