GHSA-H259-74H5-4RH9 XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API

Impact An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of...

XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API

Impact An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of...

CVE-2026-33229 XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python...

CVE-2026-33229

XWiki Platform is affected by a remote-code-execution vulnerability due to an improperly protected scripting API that lets users with script right bypass the Velocity sandbox and run arbitrary code (e.g., Python scripts). This can grant full access to the XWiki instance, compromising confidential...

PT-2026-31324

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python...

EUVD-2020-1412

Malware in sbrugna...

EUVD-2022-0762

Malicious code in bioql PyPI...

EUVD-2025-12169

Malicious code in bioql PyPI...

CVE-2022-23621

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR for example xwiki.cfg and xwiki.properties through XWikiinvokeServletAndReturnAsString as...

CVE-2020-15171

In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right EDIT right before XWiki 7.4 can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. The only...

PT-2025-18293 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions 6.1-milestone-1 through 15.10.12 XWiki versions 16.0.0-rc-1 through 16.4.3 XWiki versions 16.5.0-rc-1 through 16.8.0-rc-1 Description: The script API of the LESS compiler in XWiki is incorrectly checking for rights when calling...

CVE-2025-32968

XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend...

CVE-2025-32968 org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API

XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend...

PT-2025-17643 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions 1.6-milestone-1 through 15.10.16 XWiki versions prior to 16.4.6 XWiki versions prior to 16.10.1 Description: The issue allows a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection t...

CVE-2020-15252

In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right EDIT right before XWiki 7.4 can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. This is...

CVE-2023-50732 Velocity execution without script right through tree macro

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1...

GHSA-4V38-964C-XJMW Code injection via unescaped translations in xwiki-platform

Impact In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at...

Code injection via unescaped translations in xwiki-platform

Impact In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at...

Design/Logic Flaw

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can ...

Design/Logic Flaw

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged...