SQL injection in XWiki platform - CVE-2024-56158
Published: May 5, 2026
Vulnerability identifier: #VU129877
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-56158
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL queries.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the query endpoint of the REST API when processing HQL queries on Oracle. A remote attacker can send a specially crafted query using native Oracle functions to execute arbitrary SQL queries.
The issue affects Oracle deployments because Hibernate allows using native functions in an HQL query and the query validator does not sanitize functions used in a simple select.
How to mitigate CVE-2024-56158
Install security update from vendor's website.