CVE-2026-33229 - Vulnerability Details

- XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.

Published: 2026-04-08

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improperly protected scripting API in XWiki Platform allows any user who has the script right to bypass the sandboxing of the Velocity scripting engine and execute arbitrary Python scripts, thereby gaining full control of the instance. This vulnerability compromises confidentiality, integrity, and availability of the entire XWiki installation.

Affected Systems

The flaw affects the XWiki Platform product family before version 17.4.8 and 17.10.1, including the old core and legacy core components provided by the XWiki consortium. Users of these releases who have been granted script rights are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6 and an EPSS score of less than 1 percent, and it is not listed in CISA’s KEV catalog. Exploitation requires a user with script rights, a privilege that should be reserved for trusted administrators. Once achieved, the attacker can execute arbitrary code and compromise the entire platform.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xwiki

xwiki-platform

affected

Version	Status	Constraints
`>= 17.0.0-rc-1, < 17.4.8`	affected	—
`>= 17.5.0-rc-1, < 17.10.1`	affected	—

org.xwiki.platform

xwiki-platform-legacy-oldcore

affected

Version	Status	Constraints
`>= 17.0.0-rc-1, < 17.4.8`	affected	—
`>= 17.5.0-rc-1, < 17.10.1`	affected	—

org.xwiki.platform

xwiki-platform-oldcore

affected

Version	Status	Constraints
`>= 17.0.0-rc-1, < 17.4.8`	affected	—
`>= 17.5.0-rc-1, < 17.10.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

No data.

Vendor Product Confidence Versions

Xwiki

Wiki-platform

85%

Version	Status	Scheme	Platform
`[17.0.0-rc-1,17.4.8)`	affected	semver	—
`[17.5.0-rc-1,17.10.1)`	affected	semver	—

Xwiki

Wiki-platform-legacy-oldcore

100%

Version	Status	Scheme	Platform
`[17.0.0-rc-1,17.4.8)`	affected	semver	—
`[17.5.0-rc-1,17.10.1)`	affected	semver	—

Xwiki

Wiki-platform-oldcore

100%

Version	Status	Scheme	Platform
`[17.0.0-rc-1,17.4.8)`	affected	semver	—
`[17.5.0-rc-1,17.10.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update XWiki Platform to at least version 17.4.8 or 17.10.1 to eliminate the vulnerability.
Revoke script rights from untrusted or non‑administrative users to prevent use of the exposed API.
Verify that the Velocity scripting sandbox is active and no custom extensions expose the API backdoor.

Generated by OpenCVE AI on April 14, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-h259-74h5-4rh9	XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00065.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9
https://jira.xwiki.org/browse/XWIKI-23698
https://jira.xwiki.org/browse/XWIKI-23702

History

Tue, 14 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xwiki xwiki
CPEs		cpe:2.3:a:xwiki:xwiki::::::::
Vendors & Products		Xwiki xwiki

Fri, 10 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xwiki Xwiki wiki-platform Xwiki wiki-platform-legacy-oldcore Xwiki wiki-platform-oldcore
Vendors & Products		Xwiki Xwiki wiki-platform Xwiki wiki-platform-legacy-oldcore Xwiki wiki-platform-oldcore

Wed, 08 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
Title		XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API
Weaknesses		CWE-862
References		https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9 https://jira.xwiki.org/browse/XWIKI-23698 https://jira.xwiki.org/browse/XWIKI-23702
Metrics		cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Xwiki Wiki-platform Wiki-platform-legacy-oldcore Wiki-platform-oldcore Xwiki

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-08T14:53:35.977Z

Updated: 2026-04-10T20:33:15.897Z

Reserved: 2026-03-18T02:42:27.507Z

Link: CVE-2026-33229

Vulnrichment

Updated: 2026-04-10T20:33:10.351Z

NVD

Status : Analyzed

Published: 2026-04-08T16:16:23.430

Modified: 2026-04-14T20:08:07.927

Link: CVE-2026-33229

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object