SB2026050581 - Multiple vulnerabilities in XWiki platform
Published: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-32430)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute malicious JavaScript code in the context of the victim's session.
The vulnerability exists due to cross-site scripting in two web templates when handling attacker-controlled URL parameters. A remote attacker can send a specially crafted URL to execute malicious JavaScript code in the context of the victim's session.
User interaction is required to visit an attacker-controlled URL, which can allow arbitrary actions using the permissions of the victim.
2) Improper Removal of Sensitive Information Before Storage or Transfer (CVE-ID: CVE-2025-58049)
CWE-ID: CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper removal of sensitive information before storage or transfer in the PDF export job status serialization when processing a PDF export request in a background job. A remote privileged user can trigger a PDF export to disclose sensitive information.
The stored job status can include user cookies, including encrypted credentials, and the encryption key is stored in the same data directory by default.
3) Relative Path Traversal (CVE-ID: CVE-2025-55748)
CWE-ID: CWE-23 - Relative Path Traversal
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the jsx and sx endpoints when handling resource parameters in requests. A remote attacker can send a specially crafted request to disclose sensitive information.
This can be reproduced on Tomcat instances.
4) Relative Path Traversal (CVE-ID: CVE-2025-55747)
CWE-ID: CWE-23 - Relative Path Traversal
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to relative path traversal in the webjars API when handling crafted webjars URLs with encoded path separators. A remote attacker can send a specially crafted request to disclose sensitive information.
Configuration files can be accessed through traversal outside the intended directory.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx
- https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429
- https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf
- https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7
- https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81