PT-2026-51436 · Maven · Com.Xwiki.Pro:Xwiki-Pro-Macros

Publicado

2026-06-22

·

Atualizado

2026-06-22

·

CVE-2026-44179

CVSS v3.1

9.9

Crítica

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

The excerpt-include macro does not properly escape the title of the included page and executes the content of the excerpt with the macro's rights. Therefore, it is vulnerable to XWiki syntax injection via the included page's title and content, allowing remote code execution for any user who can edit a page.

Details

The title of the included page isn't escaped in ExcerptInclude.xml#L277. Further, the content of the excerpt macro is rendered to XWiki syntax and output into the macro's content such that it is executed with the macro's rights.

PoC

  1. As a user without script or programming right, create a page named Exploit.
  2. In the edit screen, change the title to {{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}}.
  3. Set the content to
{{excerpt-include 0="Exploit.WebHome"}}{{/excerpt-include}}

{{excerpt}}
 {{async}}{{groovy}}println("Hello from Groovy content!"){{/groovy}}{{/async}}
{{/excerpt}}
  1. Save and view the page.
  2. If this displays "Hello from Groovy Title!" without the surrounding macro code or "Hello from Groovy content!", the attack succeeded.

Impact

Remote code execution impacts the confidentiality, integrity and availability of the whole XWiki installation.

Correção

Eval Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-44179
GHSA-W56X-9778-RPPX

Produtos afetados

Com.Xwiki.Pro:Xwiki-Pro-Macros