SB2026050585 - Multiple vulnerabilities in XWiki platform
Published: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary JavaScript code in the user's browser.
The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in the page history compare view when handling URL parameters for revision comparison. A remote attacker can send a specially crafted link to execute arbitrary JavaScript code in the user's browser.
If the victim is an administrator, exploitation can affect the confidentiality, integrity, and availability of the whole XWiki instance.
2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-40104)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in REST API endpoints exposing database list properties when handling requests for metadata that list all available pages or spaces. A remote attacker can send a specially crafted request to cause a denial of service.
Exploitation can exhaust available resources on large wikis.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c
- https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g
- https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7