Xwiki-platform

This hub aggregates every CVE we track for Xwiki-platform, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Xwiki-platform.

• CVE-2026-33137XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}7.5May 20, 2026
• CVE-2026-40105XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality6.1Apr 15, 2026
• CVE-2026-33229XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API9.8Apr 8, 2026
• CVE-2026-26000XWiki Platform affected by click-jacking through CSS injection in comments6.1Feb 12, 2026
• CVE-2026-24128XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages6.1Jan 23, 2026
• CVE-2025-66473XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis7.5Dec 10, 2025
• CVE-2025-66472XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication6.1Dec 10, 2025
• CVE-2025-55749The XWiki Jetty package (XJetty) allows accessing any application file through URL7.5Dec 1, 2025
• CVE-2025-52472XWiki Platform vulnerable to HQL injection via wiki and space search REST API9.8Oct 6, 2025
• CVE-2025-55748XWiki Platform's configuration files can be accessed through jsx and sx endpoints7.5Sep 3, 2025
• CVE-2025-55747XWiki Platform's configuration files can be accessed through the webjars API9.1Sep 3, 2025
• CVE-2025-58049XWiki PDF export jobs store sensitive cookies unencrypted in job statuses5.8Aug 28, 2025
• CVE-2025-54125XWiki Platform: Password and email exposure in xml.vm fields6.5Aug 5, 2025
• CVE-2025-54124XWiki Platform: Any user with editing rights can access password properties through Database List Properties6.5Aug 5, 2025
• CVE-2025-32430XWiki Platform contains Reflected XSS vulnerability in two templates6.1Aug 5, 2025