Home

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

PUBLISHED Reserved 2026-03-17 | Published 2026-05-20 | Updated 2026-05-20 | Assigner GitHub_M




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

< 16.10.17
affected

>= 17.0.0-rc-1, < 17.4.9
affected

>= 17.5.0, < 17.10.3
affected

>= 18.0.0-rc-1, < 18.1.0-rc-1
affected

References

github.com/...atform/security/advisories/GHSA-qrvh-r3f2-9h4r

github.com/...ommit/4b7b95b79256374d487e9ece1dc48f527966990f

jira.xwiki.org/browse/XWIKI-23953

cve.org (CVE-2026-33137)

nvd.nist.gov (CVE-2026-33137)

Download JSON