PT-2026-42215 · Xwiki · Xwiki Platform
Majkelstick
·
Published
2026-05-20
·
Updated
2026-05-26
·
CVE-2026-23734
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 18.1.0-rc-1
XWiki Platform versions prior to 17.10.3
XWiki Platform versions prior to 17.4.9
XWiki Platform versions prior to 16.10.17
Description
Path Traversal allows unauthorized access to read configuration files. This occurs via the
resource parameter in the 'ssx' and 'jsx' endpoints by using leading slashes, enabling an attacker to access sensitive files such as xwiki.cfg.Recommendations
Update to version 18.1.0-rc-1.
Update to version 17.10.3.
Update to version 17.4.9.
Update to version 16.10.17.
Fix
Relative Path Traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki Platform