XWiki has Reflected Cross-Site Scripting (XSS) in its page history...

6.5 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.

Basic Information

ID CVE-2026-40105

Source GitHub_M

Published Apr 15, 2026 at 00:07

Affected Product

Vendor xwiki

Product xwiki-platform

Version >= 10.4-rc-1, < 16.10.16

Affected Versions xwiki xwiki-platform >= 10.4-rc-1, < 16.10.16
xwiki xwiki-platform >= 17.0.0-rc-1, < 17.4.8
xwiki xwiki-platform >= 17.5.0-rc-1, < 17.10.1

CWE Classification

CWE-80

References

{
    "lastseen": "",
    "description": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through  16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.",
    "published": "2026-04-15T00:07:23.150Z",
    "modified": "2026-04-15T00:07:23.150Z",
    "type": "cve",
    "title": "XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality",
    "source": "GitHub_M",
    "references": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c\nhttps://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c\nhttps://jira.xwiki.org/browse/XWIKI-23472",
    "id": "CVE-2026-40105",
    "bulletinFamily": "",
    "cwe": [
        "CWE-80"
    ],
    "cvelist": null,
    "sourceData": "xwiki xwiki-platform >= 10.4-rc-1, < 16.10.16\nxwiki xwiki-platform >= 17.0.0-rc-1, < 17.4.8\nxwiki xwiki-platform >= 17.5.0-rc-1, < 17.10.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "xwiki-platform",
    "version": ">= 10.4-rc-1, < 16.10.16",
    "vendor": "xwiki",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality_CVE-2026-40105