Xwiki platform
This hub aggregates every CVE we track for Xwiki platform. Use it to gauge the current risk picture and drill into individual advisories.
other
116
CVEs tracked
68
Critical
24
High
1
In CISA KEV
Severity distribution
CRITICAL68HIGH24MEDIUM21LOW3
Monthly trend
2
0
1
0
0
1
0
1
3
10
1
9
2
5
2
1
0
4
1
1
0
2
1
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Xwiki platform.
- CVE-2026-33137XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}7.5
- CVE-2026-40105XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality6.1
- CVE-2026-33229XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API9.8
- CVE-2026-26000XWiki Platform affected by click-jacking through CSS injection in comments6.1
- CVE-2026-24128XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages6.1
- CVE-2025-66474XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection8.8
- CVE-2025-66473XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis7.5
- CVE-2025-66472XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication6.1
- CVE-2025-55749The XWiki Jetty package (XJetty) allows accessing any application file through URL7.5
- CVE-2025-52472XWiki Platform vulnerable to HQL injection via wiki and space search REST API9.8
- CVE-2025-55748XWiki Platform's configuration files can be accessed through jsx and sx endpoints7.5
- CVE-2025-55747XWiki Platform's configuration files can be accessed through the webjars API9.1
- CVE-2025-51991XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentat...8.8
- CVE-2025-51990XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Pre...4.8
- CVE-2025-54125XWiki Platform: Password and email exposure in xml.vm fields6.5
Product normalization is registry-driven with AI assist and human review. How it works