Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.
Published: 2026-04-15
Score: 6.5 Medium
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

XWiki Platform versions from 10.4‑rc‑1 to 17.10.0 contain a reflected cross‑site scripting flaw in the page history compare view. An attacker can craft a URL that injects malicious JavaScript when a comparison is rendered, allowing the attacker to run arbitrary code in the victim’s browser. If the victim is an administrator, the malicious script can affect the entire XWiki instance, exposing confidential data, altering site content, or causing denial of service within that hosting environment. This is a typical CWE‑80 vulnerability, where unsanitized user‑supplied input is reflected in the response.

Affected Systems

The vulnerability impacts only XWiki Platform, specifically the vendor product xwiki-platform. Affected releases include 10.4‑rc‑1 through 16.10.15, 17.0.0‑rc‑1 through 17.4.7, and 17.5.0‑rc‑1 through 17.10.0. All of these versions expose the vulnerable comparison page; newer releases beyond 17.10.0 contain the fix.

Risk and Exploitability

The CVSS score is 6.5, representing a medium severity. The EPSS score of 2% indicates a low but non‑negligible likelihood of exploitation, consistent with the vulnerability’s medium risk. The vulnerability is not listed in CISA KEV. The attack vector is inferred as an unauthenticated or authenticated user clicking a crafted link; an attacker requires administrative privileges to fully compromise the entire instance. The flaw is a standard reflected XSS, meaning exploitation typically requires user interaction.

Generated by OpenCVE AI on May 5, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest XWiki Platform release that includes the fix (any version after 17.10.0).
  • If immediate upgrade is not possible, manually patch the file templates/changesdoc.vm in the deployed WAR to sanitize or remove the vulnerable rendering logic as described in the advisory.
  • Limit access to the page history compare functionality or require administrative login so that normal users cannot trigger the vulnerable view.

Generated by OpenCVE AI on May 5, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w4fj-87j5-f25c XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
History

Thu, 23 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki xwiki
CPEs cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Vendors & Products Xwiki xwiki
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki
Xwiki xwiki-platform
Vendors & Products Xwiki
Xwiki xwiki-platform

Wed, 15 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.
Title XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 6.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Xwiki Xwiki Xwiki-platform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T16:13:48.450Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40105

cve-icon Vulnrichment

Updated: 2026-04-15T14:02:37.918Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T04:17:48.137

Modified: 2026-04-23T13:52:12.417

Link: CVE-2026-40105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T14:45:05Z

Weaknesses