Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

xwiki-platform — Vulnerabilities & Security Advisories 228

All 228 CVE vulnerabilities found in xwiki-platform, with AI-generated Chinese analysis, references, and POCs.

This page presents vulnerability aggregation data for XWiki Platform, focusing on software security weaknesses and their associated tags within the vendor’s ecosystem. It collects a comprehensive range of vulnerability records, including remote code execution flaws, cross-site scripting issues, and authentication bypasses, covering all publicly disclosed security incidents from the product’s initial release through the most recent updates. By consolidating these entries, the resource allows users to effectively track the vendor’s historical advisory patterns and correlate specific CVEs with broader weakness classifications. Readers can explore how different vulnerability classes impact the platform’s architecture over time and analyze the chronology of security patches issued by XWiki. This structured overview aids developers, security auditors, and system administrators in assessing the overall risk posture of XWiki Platform deployments. Understanding the evolution of these weaknesses provides critical context for patch management strategies and helps identify persistent security concerns that may not be immediately apparent when reviewing individual reports in isolation. The data serves as a reference point for evaluating the effectiveness of past remediation efforts and anticipating potential future attack vectors based on historical trends.

Vendor: xwiki

CVE IDTitleCVSSSeverityPublished
CVE-2026-33137 XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName} CWE-862--2026-05-20
CVE-2026-40105 XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality CWE-80 8.8 -2026-04-15
CVE-2026-33229 XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API CWE-862 9.9AICriticalAI2026-04-08
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments CWE-1021 4.1AIMediumAI2026-02-12
CVE-2026-24128 XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages CWE-79 9.6 -2026-01-23
CVE-2025-66473 XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis CWE-770 7.5AIHighAI2025-12-10
CVE-2025-66472 XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication CWE-79 6.1AIMediumAI2025-12-10
CVE-2025-55749 The XWiki Jetty package (XJetty) allows accessing any application file through URL CWE-284 7.5AIHighAI2025-12-01
CVE-2025-52472 XWiki Platform vulnerable to HQL injection via wiki and space search REST API CWE-89 7.1AIHighAI2025-10-06
CVE-2025-55748 XWiki Platform's configuration files can be accessed through jsx and sx endpoints CWE-23 7.5AIHighAI2025-09-03
CVE-2025-55747 XWiki Platform's configuration files can be accessed through the webjars API CWE-23 7.5AIHighAI2025-09-03
CVE-2025-58049 XWiki PDF export jobs store sensitive cookies unencrypted in job statuses CWE-212 5.8 Medium2025-08-28
CVE-2025-54125 XWiki Platform: Password and email exposure in xml.vm fields CWE-359 8.1AIHighAI2025-08-05
CVE-2025-54124 XWiki Platform: Any user with editing rights can access password properties through Database List Properties CWE-359 6.5AIMediumAI2025-08-05
CVE-2025-32430 XWiki Platform contains Reflected XSS vulnerability in two templates CWE-79 6.1AIMediumAI2025-08-05
CVE-2025-54385 XWiki Platform's searchDocuments API allows for SQL injection CWE-20 8.8 -2025-07-26
CVE-2025-32429 XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter CWE-89 9.8 -2025-07-24
CVE-2025-49587 XWiki does not require right warnings for notification displayer objects CWE-357 5.4AIMediumAI2025-06-13
CVE-2025-49586 XWiki allows remote code execution through preview of XClass changes in AWM editor CWE-863 8.8AIHighAI2025-06-13
CVE-2025-49585 XWiki does not require right warnings for XClass definitions CWE-357 6.3AIMediumAI2025-06-13
CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API CWE-201 5.3AIMediumAI2025-06-13
CVE-2025-49583 XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right CWE-270 4.6AIMediumAI2025-06-13
CVE-2025-49582 XWiki's required right warnings for macros are incomplete CWE-357 5.4AIMediumAI2025-06-13
CVE-2025-49581 XWiki allows remote code execution through default value of wiki macro wiki-type parameters CWE-94 8.8AIHighAI2025-06-13
CVE-2025-49580 XWiki allows privilege escalation through link refactoring CWE-266 9.3AICriticalAI2025-06-13
CVE-2024-56158 XWiki allows SQL injection in query endpoint of REST API with Oracle CWE-89 9.8AICriticalAI2025-06-12
CVE-2025-48063 XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right CWE-285 7.1AIHighAI2025-05-21
CVE-2025-46554 XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API CWE-862 5.3 Medium2025-04-30
CVE-2025-46557 Any user with view access to the XWiki space can change the authenticator CWE-862 8.1AIHighAI2025-04-30
CVE-2025-32973 org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right CWE-862 9.1 Critical2025-04-30

All 228 known CVE vulnerabilities affecting xwiki-platform with full Chinese analysis, references, and POCs where available.