Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.
Published: 2026-04-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side execution via reflected XSS
Action: Immediate Patch
AI Analysis

Impact

XWiki Platform versions from 10.4‑rc‑1 to 17.10.0 contain a reflected cross‑site scripting flaw in the page history compare view. An attacker can craft a URL that injects malicious JavaScript when a comparison is rendered, allowing the attacker to run arbitrary code in the victim’s browser. If the victim is an administrator, the malicious script can affect the entire XWiki instance, exposing confidential data, altering site content, or causing denial of service within that hosting environment. This is a typical CWE‑80 vulnerability, where unsanitized user‑supplied input is reflected in the response.

Affected Systems

The vulnerability impacts only XWiki Platform, specifically the vendor product xwiki-platform. Affected releases include 10.4‑rc‑1 through 16.10.15, 17.0.0‑rc‑1 through 17.4.7, and 17.5.0‑rc‑1 through 17.10.0. All of these versions expose the vulnerable comparison page; newer releases beyond 17.10.0 contain the fix.

Risk and Exploitability

The CVSS score is 6.5, representing a medium severity. EPSS data is missing, so no automated estimation of current exploit likelihood is available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred as an unauthenticated or authenticated user clicking a crafted link, with the attacker needing administrative privileges to fully exploit the vulnerability. The flaw is a standard reflected XSS, meaning exploitation typically requires user interaction, but once an admin is affected it can compromise the whole instance.

Generated by OpenCVE AI on April 15, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest XWiki Platform release that includes the fix (any version after 17.10.0).
  • If immediate upgrade is not possible, manually patch the file templates/changesdoc.vm in the deployed WAR to sanitize or remove the vulnerable rendering logic as described in the advisory.
  • Limit access to the page history compare functionality or require administrative login so that normal users cannot trigger the vulnerable view.

Generated by OpenCVE AI on April 15, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w4fj-87j5-f25c XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki
Xwiki xwiki-platform
Vendors & Products Xwiki
Xwiki xwiki-platform

Wed, 15 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.
Title XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 6.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Xwiki Xwiki-platform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T16:13:48.450Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40105

cve-icon Vulnrichment

Updated: 2026-04-15T14:02:37.918Z

cve-icon NVD

Status : Received

Published: 2026-04-15T04:17:48.137

Modified: 2026-04-15T04:17:48.137

Link: CVE-2026-40105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses