Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
Published: 2026-05-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the POST "/wikis/{wikiName}" REST API of XWiki Platform. In versions starting with 15.10.6 and prior to 18.1.0‑rc‑1, 17.10.3, 17.4.9, and 16.10.17, the API performs a XAR import without any authentication or authorization checks, enabling an unauthenticated attacker to create or update documents in the target wiki. As a result, the attacker can inject, delete, or overwrite arbitrary wiki pages, compromising content integrity and potentially aiding further exploitation. The issue has been fixed in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0‑rc‑1.

Affected Systems

The issue affects XWiki Platform versions prior to 18.1.0‑rc‑1, 17.10.3, 17.4.9, and 16.10.17. The fix was implemented in 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0‑rc‑1. The affected product is the XWiki Platform, a generic wiki platform used for building applications.

Risk and Exploitability

The CVSS score of 9.3 categorizes this flaw as Critical, highlighting its severe potential impact. The EPSS score is reported as less than 1% (approximately 0.00016), indicating a very low exploitation probability, although the lack of authentication checks makes it a high‑impact vulnerability once discovered. This entry is not listed in the CISA KEV catalog. The flaw can be triggered over the network by supplying a crafted POST request to the /wikis/{wikiName} REST endpoint. The likely attack vector is a direct network POST request with a malicious XAR payload, requiring no credentials.

Generated by OpenCVE AI on May 26, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XWiki Platform to version 16.10.17 or later, including 17.4.9, 17.10.3, 18.0.1, or 18.1.0‑rc‑1.
  • Configure firewall or network access controls to block unauthenticated POST requests to /wikis/{wikiName} until the patch is applied.
  • Enable and enforce authentication and authorization for the REST API, ensuring that only privileged users can execute XAR imports.

Generated by OpenCVE AI on May 26, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qrvh-r3f2-9h4r XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
History

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1. XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki
Xwiki wiki-platform
Vendors & Products Xwiki
Xwiki wiki-platform

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
Title XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xwiki Wiki-platform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T18:20:49.991Z

Reserved: 2026-03-17T20:35:49.929Z

Link: CVE-2026-33137

cve-icon Vulnrichment

Updated: 2026-05-21T13:25:29.397Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T20:16:37.567

Modified: 2026-05-26T19:16:27.020

Link: CVE-2026-33137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T21:30:16Z

Weaknesses