Path Traversal Vulnerability in XWiki Platform
CVE-2026-23734

9.3CRITICAL

Key Information:

Vendor

Xwiki
Status
Xwiki-commons
Vendor
CVE Published:
20 May 2026

What is CVE-2026-23734?

A path traversal vulnerability exists in the XWiki Platform that allows unauthorized access to sensitive configuration files. Exploited through specially crafted URLs that manipulate the resource parameter in the ssx and jsx endpoints, this flaw could lead to unintended exposure of internal configuration settings. This vulnerability affects all versions prior to the patched releases: 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, posing a serious risk to deployed applications.

Affected Version(s)

xwiki-commons < 16.10.17 < 16.10.17

xwiki-commons >= 17.0.0-rc-1, < 17.4.9 < 17.0.0-rc-1, 17.4.9

xwiki-commons >= 17.5.0, < 17.10.3 < 17.5.0, 17.10.3

References

https://github.com/xwiki/xwiki-commons/security/advisorie...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-commons/commit/a979cafd89f...
x_refsource_MISC
https://jira.xwiki.org/browse/XCOMMONS-3547
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.