XWiki Platform is vulnerable to HQL injection via wiki and space search REST API

Impact The REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it's not that easy to exploit. The part of the query between the two fields can b...

GHSA-GPRP-H92G-GC2H XWiki Platform is vulnerable to HQL injection via wiki and space search REST API

Impact The REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it's not that easy to exploit. The part of the query between the two fields can b...

CVE-2025-52472 XWiki Platform vulnerable to HQL injection via wiki and space search REST API

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...