CVE-2026-24128

Jan. 24, 2026, 12:15 a.m.

6.5
Medium

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.

Product(s) Impacted

Vendor Product Versions
Xwiki
  • Xwiki Platform
  • 7.0-milestone-2-16.10.11, 17.0.0-rc-1-17.4.4, 17.5.0-rc-1-17.7.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a xwiki xwiki_platform 7.0-milestone-2-16.10.11 / / / / / / /
a xwiki xwiki_platform 17.0.0-rc-1-17.4.4 / / / / / / /
a xwiki xwiki_platform 17.5.0-rc-1-17.7.0 / / / / / / /

References

https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf
https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12
https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5
https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp
https://jira.xwiki.org/browse/XWIKI-23462

Tags

[email protected]
CWE-79
2026-01-24
CVE-2026-24128

CVSS Score

6.5 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Jan. 24, 2026, 12:15 a.m.
Last Modified: Jan. 24, 2026, 12:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.