PT-2026-31324 · Xwiki · Xwiki Platform
Azefzafyoussef
·
Published
2026-04-08
·
Updated
2026-04-08
·
CVE-2026-33229
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 17.4.8 and prior to 17.10.1
Description
The XWiki Platform has an improperly protected scripting API. A user with script rights can bypass the Velocity scripting API sandbox and execute arbitrary Python scripts, potentially gaining full access to the XWiki instance, compromising its confidentiality, integrity, and availability.
Recommendations
Update to XWiki Platform version 17.4.8 or later.
Update to XWiki Platform version 17.10.1 or later.
Fix
RCE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki Platform