Eval Injection in XWiki platform - CVE-2022-41934

 

Eval Injection in XWiki platform - CVE-2022-41934

Published: November 21, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU129999
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-41934
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the menu macro when processing macro content and parameters. A remote user can inject crafted Groovy, Python, or Velocity code to execute arbitrary code.

The issue affects commonly accessible documents that include the menu macro and can lead to full access to the XWiki installation.


How to mitigate CVE-2022-41934

Install security update from vendor's website.

Sources