漏洞关键信息 漏洞类型 Reflected Cross-Site Scripting (XSS) in Error Messages 漏洞编号 CVE-2026-24128 包名 org.xwiki.platform:xwiki-platform-web-templates (Maven) 影响版本 >= 7.0-milestone-2, = 17.0.0-rc-1, = 17.5.0-rc-1, < 17.8.0-rc-1 修复版本 16.10.12 17.4.5 17.8.0-rc-1 严重性 Moderate (CVSS v4 base score: 6.5/10) 影响 A reflected cross site scripting (XSS) vulnerability in XWiki allows an attacker to execute arbitrary actions in XWiki with the rights of the victim if the attacker manages to trick a victim into visiting a crafted URL. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. 修复方案 This vulnerability has been patched in XWiki 17.8.0RC1, 17.4.5 and 16.10.12. 解决方法 The patch can be applied manually, only a single line in needs to be changed, no restart is required. 引用 8337ac8 https://jira.xwiki.org/browse/XWIKI-23462 致谢 We thank Mike Cole @mikecole-mg for discovering and reporting this vulnerability.