xwiki
Products: xwiki-commons · xwiki-platform · xwiki-rendering
40.6
Score
36
CVEs
1
Active
35
PoC
1
KEV
#55
Rank
Period:
Product:
| CVE ID | Published | CVSS | Exploit | KEV | AC | PR | Auto | Score(hover) | Affected Products | Description |
|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-66473 | 2025-12-10 | 8.7v4.0 | POC | — | Low | None | YES | 0.0 | xwiki-platform | XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages |
| CVE-2025-66474 | 2025-12-10 | 8.7v4.0 | POC | — | Low | Low | no | 0.0 | xwiki-rendering | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which |
| CVE-2025-54124 | 2025-08-05 | 7.1v4.0 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create a |
| CVE-2025-54125 | 2025-08-05 | 8.7v4.0 | POC | — | Low | None | YES | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be t |
| CVE-2025-53836 | 2025-07-14 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-rendering | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restrict |
| CVE-2025-49584 | 2025-06-13 | 8.7v4.0 | POC | — | Low | None | YES | 0.0 | xwiki-platform | XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default fo |
| CVE-2025-49586 | 2025-06-13 | 8.7v4.0 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16 |
| CVE-2025-32971 | 2025-04-30 | 3.8v3.1 | POC | — | Low | High | no | 0.0 | xwiki-platform | XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's scr |
| CVE-2025-32972 | 2025-04-30 | 2.7v3.1 | POC | — | Low | High | no | 0.0 | xwiki-platform | XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making i |
| CVE-2025-46554 | 2025-04-30 | 5.3v3.1 | POC | — | Low | None | YES | 0.0 | xwiki-platform | XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. The |
| CVE-2025-29924 | 2025-03-19 | 8.7v4.0 | POC | — | Low | None | YES | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability |
| CVE-2025-29925 | 2025-03-19 | 8.7v4.0 | POC | — | Low | None | YES | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent u |
| CVE-2025-29926 | 2025-03-19 | 7.9v4.0 | POC | — | Low | None | YES | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by d |
| CVE-2025-24893 | 2025-02-20 | 9.8v3.1 | ACTIVE | Low | None | YES | 40.6 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce | |
| CVE-2024-55662 | 2024-12-12 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed i |
| CVE-2024-55876 | 2024-12-12 | 5.4v3.0 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Sched |
| CVE-2024-55877 | 2024-12-12 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity |
| CVE-2024-55879 | 2024-12-12 | 9.1v3.1 | POC | — | Low | High | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availabi |
| CVE-2024-31464 | 2024-04-10 | 6.8v3.1 | POC | — | Low | High | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.19, 15.5.4, and 15.9-rc-1, it is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that vulnerability it's p |
| CVE-2024-31982 | 2024-04-10 | 10.0v3.1 | POC | — | Low | None | YES | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed w |
| CVE-2024-31983 | 2024-04-10 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations on the wiki). Starting in |
| CVE-2024-31984 | 2024-04-10 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit |
| CVE-2024-31987 | 2024-04-10 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code |
| CVE-2024-31996 | 2024-04-10 | 10.0v3.1 | POC | — | Low | None | YES | 0.0 | xwiki-commons | XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution |
| CVE-2024-21650 | 2024-01-08 | 10.0v3.1 | POC | — | Low | None | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "f |
| CVE-2023-46243 | 2023-11-07 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` |
| CVE-2023-46731 | 2023-11-06 | 10.0v3.1 | POC | — | Low | None | YES | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document `XWiki.AdminSheet` ( |
| CVE-2023-37909 | 2023-10-25 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.1-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that |
| CVE-2023-37910 | 2023-10-25 | 8.1v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any document (can be the user |
| CVE-2023-37911 | 2023-10-25 | 6.5v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-created document but |
| CVE-2023-37912 | 2023-10-25 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-rendering | XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of `org.xwiki.platform:xwiki-core-rendering-macro-footnotes` and `org.xwiki.platform:xwiki-rendering-macro-footnotes` and prior to version 15.1-rc-1 of `org.xwiki |
| CVE-2023-37913 | 2023-10-25 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment's content to an a |
| CVE-2023-41046 | 2023-09-01 | 6.3v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". For the fo |
| CVE-2023-40177 | 2023-08-23 | 9.9v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation. This issue is present |
| CVE-2023-37914 | 2023-08-17 | 9.9v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view `Invitation.WebHome` can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to |
| CVE-2023-37462 | 2023-07-14 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arb |
Each CVE: 10 pts base (Active only), boosted by:
KEV×2.0AC: Low×1.2PR: None×1.3PR: Low×1.1Auto×1.3