CVE-2026-33229 - Vulnerability Details

- XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.

Published: 2026-04-08

Score: 8.6 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An improperly protected scripting API in XWiki Platform allows an attacker who has been granted script rights to bypass the Velocity sandbox and execute arbitrary scripts such as Python on the host operating system. This grants the attacker full control over the XWiki instance, compromising confidentiality, integrity, and availability of all data and services, effectively allowing them to modify or delete any content, perform privilege escalation, or launch further attacks against the underlying infrastructure. The flaw reflects a severe access‑control issue (CWE‑862).

Affected Systems

The vulnerability affects all XWiki Platform releases built before versions 17.4.8 and 17.10.1. The impacted products include the legacy OldCore distributions (org.xwiki.platform:xwiki-platform-legacy-oldcore and org.xwiki.platform:xwiki-platform-oldcore) as well as the standard xwiki-platform bundle. Administrators should verify that no untrusted accounts possess the script right privilege.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity risk. EPSS for this issue is not publicly available, and it is not listed in the CISA KEV catalog, which suggests no confirmed exploitation yet. Based on the description, the likely attack vector is an authenticated user with script rights exploiting the exposed API. Because script rights already provide a high level of access, the risk of exploitation is significant if any such accounts exist in the environment. Prompt remediation is essential to mitigate potential full compromise of the instance.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xwiki

xwiki-platform

affected

Version	Status	Constraints
`>= 17.0.0-rc-1, < 17.4.8`	affected	—
`>= 17.5.0-rc-1, < 17.10.1`	affected	—

org.xwiki.platform

xwiki-platform-legacy-oldcore

affected

Version	Status	Constraints
`>= 17.0.0-rc-1, < 17.4.8`	affected	—
`>= 17.5.0-rc-1, < 17.10.1`	affected	—

org.xwiki.platform

xwiki-platform-oldcore

affected

Version	Status	Constraints
`>= 17.0.0-rc-1, < 17.4.8`	affected	—
`>= 17.5.0-rc-1, < 17.10.1`	affected	—

No data.

Vendor Product Confidence Versions

Xwiki

Wiki-platform

85%

Version	Status	Scheme	Platform
`[17.0.0-rc-1,17.4.8)`	affected	semver	—
`[17.5.0-rc-1,17.10.1)`	affected	semver	—

Xwiki

Wiki-platform-legacy-oldcore

100%

Version	Status	Scheme	Platform
`[17.0.0-rc-1,17.4.8)`	affected	semver	—
`[17.5.0-rc-1,17.10.1)`	affected	semver	—

Xwiki

Wiki-platform-oldcore

100%

Version	Status	Scheme	Platform
`[17.0.0-rc-1,17.4.8)`	affected	semver	—
`[17.5.0-rc-1,17.10.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade XWiki Platform to version 17.4.8 or later 17.10.1
Revoke or restrict the script right privilege from accounts that do not require it
Verify that no untrusted users have script rights by reviewing user permissions
Check that the application is running a patched version by reviewing release notes
Enable logging and monitor for unexpected script execution attempts

Generated by OpenCVE AI on April 8, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-h259-74h5-4rh9	XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9
https://jira.xwiki.org/browse/XWIKI-23698
https://jira.xwiki.org/browse/XWIKI-23702

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xwiki Xwiki wiki-platform Xwiki wiki-platform-legacy-oldcore Xwiki wiki-platform-oldcore
Vendors & Products		Xwiki Xwiki wiki-platform Xwiki wiki-platform-legacy-oldcore Xwiki wiki-platform-oldcore

Wed, 08 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
Title		XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API
Weaknesses		CWE-862
References		https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9 https://jira.xwiki.org/browse/XWIKI-23698 https://jira.xwiki.org/browse/XWIKI-23702
Metrics		cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Xwiki Wiki-platform Wiki-platform-legacy-oldcore Wiki-platform-oldcore

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-08T14:53:35.977Z

Updated: 2026-04-08T14:53:35.977Z

Reserved: 2026-03-18T02:42:27.507Z

Link: CVE-2026-33229

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-08T16:16:23.430

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-33229

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:18:45Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object