PT-2026-32971 · Xwiki · Xwiki Platform
Published
2025-12-02
·
Updated
2026-05-04
·
CVE-2026-40105
CVSS v4.0
6.5
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions 10.4-rc-1 through 16.10.15
XWiki Platform versions 17.0.0-rc-1 through 17.4.7
XWiki Platform versions 17.5.0-rc-1 through 17.10.0
Description
A reflected cross-site scripting (XSS) issue in the comparison view between page revisions allows the execution of JavaScript code in the user's browser. If an administrator is affected, the confidentiality, integrity, and availability of the entire instance may be compromised. The issue is caused by improper escaping of URL parameters.
Recommendations
For versions 10.4-rc-1 through 16.10.15, 17.0.0-rc-1 through 17.4.7, and 17.5.0-rc-1 through 17.10.0, apply the patch manually to
templates/changesdoc.vm in the deployed WAR.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki Platform