Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

xwiki-platform — Vulnerabilities & Security Advisories 227

All 227 CVE vulnerabilities found in xwiki-platform, with AI-generated Chinese analysis, references, and POCs.

Vendor: xwiki

CVE IDTitleCVSSSeverityPublished
CVE-2026-40105 XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality CWE-80 8.8 -2026-04-15
CVE-2026-33229 XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API CWE-862 9.9AICriticalAI2026-04-08
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments CWE-1021 4.1AIMediumAI2026-02-12
CVE-2026-24128 XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages CWE-79 9.6 -2026-01-23
CVE-2025-66473 XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis CWE-770 7.5AIHighAI2025-12-10
CVE-2025-66472 XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication CWE-79 6.1AIMediumAI2025-12-10
CVE-2025-55749 The XWiki Jetty package (XJetty) allows accessing any application file through URL CWE-284 7.5AIHighAI2025-12-01
CVE-2025-52472 XWiki Platform vulnerable to HQL injection via wiki and space search REST API CWE-89 7.1AIHighAI2025-10-06
CVE-2025-55748 XWiki Platform's configuration files can be accessed through jsx and sx endpoints CWE-23 7.5AIHighAI2025-09-03
CVE-2025-55747 XWiki Platform's configuration files can be accessed through the webjars API CWE-23 7.5AIHighAI2025-09-03
CVE-2025-58049 XWiki PDF export jobs store sensitive cookies unencrypted in job statuses CWE-212 5.8 Medium2025-08-28
CVE-2025-54125 XWiki Platform: Password and email exposure in xml.vm fields CWE-359 8.1AIHighAI2025-08-05
CVE-2025-54124 XWiki Platform: Any user with editing rights can access password properties through Database List Properties CWE-359 6.5AIMediumAI2025-08-05
CVE-2025-32430 XWiki Platform contains Reflected XSS vulnerability in two templates CWE-79 6.1AIMediumAI2025-08-05
CVE-2025-54385 XWiki Platform's searchDocuments API allows for SQL injection CWE-20 8.8 -2025-07-26
CVE-2025-32429 XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter CWE-89 9.8 -2025-07-24
CVE-2025-49587 XWiki does not require right warnings for notification displayer objects CWE-357 5.4AIMediumAI2025-06-13
CVE-2025-49586 XWiki allows remote code execution through preview of XClass changes in AWM editor CWE-863 8.8AIHighAI2025-06-13
CVE-2025-49585 XWiki does not require right warnings for XClass definitions CWE-357 6.3AIMediumAI2025-06-13
CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API CWE-201 5.3AIMediumAI2025-06-13
CVE-2025-49583 XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right CWE-270 4.6AIMediumAI2025-06-13
CVE-2025-49582 XWiki's required right warnings for macros are incomplete CWE-357 5.4AIMediumAI2025-06-13
CVE-2025-49581 XWiki allows remote code execution through default value of wiki macro wiki-type parameters CWE-94 8.8AIHighAI2025-06-13
CVE-2025-49580 XWiki allows privilege escalation through link refactoring CWE-266 9.3AICriticalAI2025-06-13
CVE-2024-56158 XWiki allows SQL injection in query endpoint of REST API with Oracle CWE-89 9.8AICriticalAI2025-06-12
CVE-2025-48063 XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right CWE-285 7.1AIHighAI2025-05-21
CVE-2025-46554 XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API CWE-862 5.3 Medium2025-04-30
CVE-2025-46557 Any user with view access to the XWiki space can change the authenticator CWE-862 8.1AIHighAI2025-04-30
CVE-2025-32973 org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right CWE-862 9.1 Critical2025-04-30
CVE-2025-32974 org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type CWE-116 9.1 Critical2025-04-30

All 227 known CVE vulnerabilities affecting xwiki-platform with full Chinese analysis, references, and POCs where available.