Main Vulnerability Database Vulnerabilities #VU129896

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2026-40105

Published: May 5, 2026

Vulnerability identifier: #VU129896

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-40105

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: XWiki

Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code in the user's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in the page history compare view when handling URL parameters for revision comparison. A remote attacker can send a specially crafted link to execute arbitrary JavaScript code in the user's browser.

If the victim is an administrator, exploitation can affect the confidentiality, integrity, and availability of the whole XWiki instance.

How to mitigate CVE-2026-40105

Install security update from vendor's website.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2026-40105

Detailed vulnerability description

How to mitigate CVE-2026-40105

Sources

Please verify you're human