Resource Exhaustion

XWiki Platform is vulnerable to Resource Exhaustion. The vulnerability is due to missing query limits in REST API endpoints that enumerate database list properties, which allows an attacker to exhaust server resources by triggering large unbounded queries on large wiki instances...

PT-2026-32970

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as...

PT-2025-34485 · Unknown · Easy Hosting Control Panel

Name of the Vulnerable Software and Affected Versions: Easy Hosting Control Panel EHCP version 20.04.1.b Description: The List MySQL Databases function in Easy Hosting Control Panel EHCP is susceptible to a reflected cross-site scripting issue. Authenticated attackers can potentially execute...

XWiki Platform 安全漏洞

XWiki Platform is XWiki's open source suite of Wiki platforms for creating web collaboration applications. A security vulnerability exists in XWiki Platform that stems from a database list attribute that could disclose password hashes...

CVE-2025-54124 XWiki Platform: Any user with editing rights can access password properties through Database List Properties

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can creat...

GHSA-R38M-CGPG-QJ69 XWiki leaks password hashes and other accessible password properties

Impact Any user with edit right on a page of the wiki can create an XClass with a database list property that references a password property, for example the password hash that is stored for users. When adding an object of that XClass, the content of that password property is displayed. In...

CVE-2023-24773

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list...

SQL Injection in default_jsonalyzer via prompt injection leads to arbitrary file creation

Target Link Description defaultjsonalyzer function used in JSONalyzeQueryEngine execute a sqlite query that llm made. If the attacker control the sqlite query with prompt injection and execute a malicious sqlite query, then Denial-of-Service attack and arbitrary file creation is possible. Root...

CVE-2023-24773

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list...

CVE-2023-24773

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list...

GHSA-VPX4-7RFP-H545 Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm

Impact Any user with edit right can execute arbitrary database select and access data stored in the database. To reproduce: In admin, rights, remove scripting rights for XWikiAllGroup. Create a new user without any special privileges. Create a page "Private.WebHome" with TOKEN42 as content. Go to...