SB2026052151 - Multiple vulnerabilities in XWiki platform
Published: May 21, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2026-33137)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to create or update documents in the target wiki.
The vulnerability exists due to missing authorization in the REST /wikis/{wikiName} endpoint when handling POST requests that trigger XAR import. A remote attacker can send a crafted POST request to create or update documents in the target wiki.
2) Path Traversal: \'../filedir\' (CVE-ID: CVE-2026-48047)
CWE-ID: CWE-24 - Path Traversal: \'../filedir\'
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to write arbitrary files.
The vulnerability exists due to path traversal in the WebJar extension handling in xwiki-platform-webjars-api when installing a malicious WebJar extension. A remote privileged user can install a specially crafted extension to write arbitrary files.
Exploitation requires that a malicious extension be available in an extension repository configured in the instance.
3) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2026-48048)
CWE-ID: CWE-359 - Exposure of Private Information ('Privacy Violation')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose password salt and hash values.
The vulnerability exists due to exposure of private personal information in the LiveTableResults component when processing slightly modified LiveTableResults parameters. A remote attacker can send crafted requests to retrieve a user's password salt and hash one bit at a time to disclose password salt and hash values.
The password salt and hash can be reconstructed in 768 requests.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r
- https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vgwr-23fq-pr7g
- https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rh28-mqj4-8x59
- https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa