Reflected Cross-Site Scripting Vulnerability in XWiki Platform
CVE-2026-40105
6.5MEDIUM
What is CVE-2026-40105?
The XWiki Platform is susceptible to a reflected cross-site scripting vulnerability that originates in the comparison view of page revisions. This flaw allows unauthorized JavaScript code execution in the users' browsers. Notably, if an admin is currently logged in, it poses a significant risk to the entire XWiki instance, potentially compromising its confidentiality, integrity, and availability. Immediate updates are recommended; if that’s not feasible, a manual patch can be applied to the templates/changesdoc.vm file within the deployed WAR.
Affected Version(s)
xwiki-platform >= 10.4-rc-1, < 16.10.16 < 10.4-rc-1, 16.10.16
xwiki-platform >= 17.0.0-rc-1, < 17.4.8 < 17.0.0-rc-1, 17.4.8
xwiki-platform >= 17.5.0-rc-1, < 17.10.1 < 17.5.0-rc-1, 17.10.1