| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-40105 | XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality | xwiki | xwiki-platform | 中危 | - | 2026-04-15 00:07:23 | Deep Dive |
| CVE-2026-40104 | XWiki's REST APIs can list all pages/spaces, leading to unavailability | xwiki | org.xwiki.platform:xwiki-platform-oldcore | 中危 | - | 2026-04-15 00:01:59 | Deep Dive |
| CVE-2026-33229 | XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API | xwiki | xwiki-platform | - | - | 2026-04-08 14:53:36 | Deep Dive |
| CVE-2026-26000 | XWiki Platform affected by click-jacking through CSS injection in comments | xwiki | xwiki-platform | - | - | 2026-02-12 20:30:07 | Deep Dive |
| CVE-2026-24128 | XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages | xwiki | xwiki-platform | 中危 | - | 2026-01-23 23:18:31 | Deep Dive |
| CVE-2025-66473 | XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis | xwiki | xwiki-platform | - | - | 2025-12-10 21:51:56 | Deep Dive |
| CVE-2025-66472 | XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication | xwiki | xwiki-platform | - | - | 2025-12-10 21:34:47 | Deep Dive |
| CVE-2025-55749 | The XWiki Jetty package (XJetty) allows accessing any application file through URL | xwiki | xwiki-platform | - | - | 2025-12-01 20:09:46 | Deep Dive |
| CVE-2025-52472 | XWiki Platform vulnerable to HQL injection via wiki and space search REST API | xwiki | xwiki-platform | - | - | 2025-10-06 14:53:47 | Deep Dive |
| CVE-2025-55748 | XWiki Platform's configuration files can be accessed through jsx and sx endpoints | xwiki | xwiki-platform | - | - | 2025-09-03 20:19:46 | Deep Dive |
| CVE-2025-55747 | XWiki Platform's configuration files can be accessed through the webjars API | xwiki | xwiki-platform | - | - | 2025-09-03 20:12:13 | Deep Dive |
| CVE-2025-58049 | XWiki PDF export jobs store sensitive cookies unencrypted in job statuses | xwiki | xwiki-platform | Medium | 5.8 | 2025-08-28 17:43:40 | Deep Dive |
| CVE-2025-54125 | XWiki Platform: Password and email exposure in xml.vm fields | xwiki | xwiki-platform | - | - | 2025-08-05 23:30:39 | Deep Dive |
| CVE-2025-54124 | XWiki Platform: Any user with editing rights can access password properties through Database List Properties | xwiki | xwiki-platform | - | - | 2025-08-05 23:28:07 | Deep Dive |
| CVE-2025-32430 | XWiki Platform contains Reflected XSS vulnerability in two templates | xwiki | xwiki-platform | - | - | 2025-08-05 23:27:07 | Deep Dive |
| CVE-2025-54385 | XWiki Platform's searchDocuments API allows for SQL injection | xwiki | xwiki-platform | 中危 | - | 2025-07-26 03:28:49 | Deep Dive |
| CVE-2025-32429 | XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter | xwiki | xwiki-platform | 中危 | - | 2025-07-24 22:22:35 | Deep Dive |
| CVE-2025-49587 | XWiki does not require right warnings for notification displayer objects | xwiki | xwiki-platform | - | - | 2025-06-13 17:51:48 | Deep Dive |
| CVE-2025-49586 | XWiki allows remote code execution through preview of XClass changes in AWM editor | xwiki | xwiki-platform | - | - | 2025-06-13 17:47:07 | Deep Dive |
| CVE-2025-49585 | XWiki does not require right warnings for XClass definitions | xwiki | xwiki-platform | - | - | 2025-06-13 17:33:34 | Deep Dive |