Home

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.

PUBLISHED Reserved 2026-03-18 | Published 2026-04-08 | Updated 2026-04-10 | Assigner GitHub_M




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

>= 17.0.0-rc-1, < 17.4.8
affected

>= 17.5.0-rc-1, < 17.10.1
affected

>= 17.0.0-rc-1, < 17.4.8
affected

>= 17.5.0-rc-1, < 17.10.1
affected

>= 17.0.0-rc-1, < 17.4.8
affected

>= 17.5.0-rc-1, < 17.10.1
affected

References

github.com/...atform/security/advisories/GHSA-h259-74h5-4rh9

github.com/...ommit/9fe84da66184c05953df9466cf3a4acd15a46e63

jira.xwiki.org/browse/XWIKI-23698

jira.xwiki.org/browse/XWIKI-23702

cve.org (CVE-2026-33229)

nvd.nist.gov (CVE-2026-33229)

Download JSON