Exploitable Scripting API Flaw in XWiki Platform by XWiki
CVE-2026-33229

8.6HIGH

Key Information:

Vendor

Xwiki
Status
Xwiki-platform
Xwiki-platform-legacy-oldcore
Xwiki-platform-oldcore
Vendor
CVE Published:
8 April 2026

What is CVE-2026-33229?

The XWiki Platform contains a vulnerability in its scripting API that is improperly protected, enabling any user with script rights to bypass the Velocity scripting API's sandboxing protections. This flaw allows for the execution of arbitrary Python scripts, giving attackers full access to the XWiki instance. Such access can severely compromise the confidentiality, integrity, and availability of the entire platform. It's crucial to limit script rights, especially for untrusted users, to minimize potential risks. The issue has been addressed in versions 17.4.8 and 17.10.1.

Affected Version(s)

xwiki-platform >= 17.0.0-rc-1, < 17.4.8 < 17.0.0-rc-1, 17.4.8

xwiki-platform >= 17.5.0-rc-1, < 17.10.1 < 17.5.0-rc-1, 17.10.1

xwiki-platform-legacy-oldcore >= 17.0.0-rc-1, < 17.4.8 < 17.0.0-rc-1, 17.4.8

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/9fe84da661...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-23698
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.