CVE-2026-1136

A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitatio...

BootDo code injection vulnerability

BootDo is a backend management system framework developed by lcg0124. lcg0124 BootDo has a code injection vulnerability, which stems from incorrect handling of parameters in the file /blog/bContent/save, specifically those related to content/author/title. This vulnerability may lead to cross-site...

XWiki Platform privilege escalation from script right to programming right through title displayer

Impact In XWiki Platform, it's possible for a user to write a script in which any velocity content is executed with the right of any other document content author. To reproduce: As a user with script but not programming right, create a document with the following content: velocity set$main =...

CVE-2023-40573

CVE-2023-40573 affects XWiki Platform’s Groovy job scheduler. The vulnerability arises because the system validates the content author for programming rights on scheduled Groovy jobs, while modifications to a job script on a document do not update the author, enabling an attacker with edit rights...

GHSA-JH3W-6JP2-VQQM Missing permission check of canView in GridFieldPrintButton

The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Upgrade to silverstripe/framework 4.12.5 or above to address the issue. Reported by Stephan Bauer from relaxt...

CVE-2023-26474

XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds...