CVE-2026-40105

April 15, 2026, 4:17 a.m.

6.5
Medium

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.

Product(s) Impacted

Vendor Product Versions
Xwiki
  • Xwiki Platform
  • 10.4-rc-1, 10.4-rc-1-16.10.15, 17.0.0-rc-1, 17.5.0-rc-1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a xwiki xwiki_platform 10.4-rc-1 17.10.0 / / / / / /
a xwiki xwiki_platform 10.4-rc-1-16.10.15 / / / / / / /
a xwiki xwiki_platform 17.0.0-rc-1 17.4.7 / / / / / /
a xwiki xwiki_platform 17.5.0-rc-1 17.10.0 / / / / / /

References

https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c
https://jira.xwiki.org/browse/XWIKI-23472

Tags

[email protected]
CWE-80
2026-04-15
CVE-2026-40105

CVSS Score

6.5 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: April 15, 2026, 4:17 a.m.
Last Modified: April 15, 2026, 4:17 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.