XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests

Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user...

GHSA-RH28-MQJ4-8X59 XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests

Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user...

PT-2026-43465

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 16.10.17 XWiki versions prior to 17.4.9 XWiki versions prior to 17.10.3 XWiki versions prior to 18.0.0RC1 Description A path traversal issue allows an attacker to write arbitrary files, which could lead to overriding...

PT-2026-43466

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 18.0.0RC1 XWiki versions prior to 17.10.13 XWiki versions prior to 17.4.9 XWiki versions prior to 16.10.17 Description An insufficient patch allows for the discovery of password hashes one bit at a time by using modifie...

PT-2026-32970

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as...

CVE-2025-66473

XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of...

EUVD-2022-1713

Malicious code in bioql PyPI...

CVE-2025-55748 XWiki Platform's configuration files can be accessed through jsx and sx endpoints

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as...

GHSA-JM43-HRQ7-R7W6 XWiki allows privilege escalation through link refactoring

Impact Pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability affects all version of XWiki since 8.2 and 7.4.5...

CVE-2025-48885

application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user even guests can create these docs, even if they don't exist already. This can enable guest users to denature the structur...

CVE-2025-32974 org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page...

PT-2025-18292 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions 4.5.1 through 15.10.12 XWiki versions 16.0.0-rc-1 through 16.4.3 XWiki versions 16.5.0-rc-1 through 16.7.0-rc-1 Description: The Solr script service in XWiki does not account for dropped programming rights. Normally, the Solr...

PT-2025-17643 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions 1.6-milestone-1 through 15.10.16 XWiki versions prior to 16.4.6 XWiki versions prior to 16.10.1 Description: The issue allows a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection t...

XWiki 1.8 < 15.10.16, 16.0.0 < 16.4.6, 16.5.0 < 16.10.1 SQLi Vulnerability (GHSA-f69v-xrj8-rhxf)

Xwiki is prone to a SQL injection SQLi vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki"; ifdescription...

The WikiManager REST API allows any user to create wikis

Impact Any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager...

PT-2025-22410 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions 16.10.0 through 16.10.3 Description: The issue is related to a bug in the implementation of required rights in XWiki, allowing any user with edit right on a document to set programming right as required right. This could lead t...

XWiki 9.7-rc-1 < 15.10.11, 16.0.0-rc-1 < 16.4.1, 16.5.0-rc-1 < 16.5.0 RCE Vulnerability (GHSA-2r87-74cx-2p7c)

Xwiki is prone to an SQL injection SQLi vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki"; ifdescriptio...

CVE-2023-29511

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page e.g., it's own user page, can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is...

XWiki Platform Wiki UI Main Wiki Eval Injection vulnerability

Impact It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the request URL parameter using the XWikiServerClassSheet if the user has view access to this sheet and another page that has been saved with programming rights, a standard condition on a...

PT-2022-23180 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki Platform Old Core versions prior to 13.1.0.5 and 14.3-rc-1 Description: The issue arises from missing checks for inactive users in XWiki, including the REST service, allowing a disabled user to enable themselves using a REST call. Some...