CVE-2026-48048

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 18.0.0RC1 XWiki versions prior to 17.10.13 XWiki versions prior to 17.4.9 XWiki versions prior to 16.10.17

Description An insufficient patch allows for the discovery of password hashes one bit at a time by using modified parameters in LiveTableResults. By sending 768 requests, an attacker can retrieve the full password salt and hash of a user.

Recommendations Update to version 18.0.0RC1. Update to version 17.10.13. Update to version 17.4.9. Update to version 16.10.17. As a temporary workaround, manually apply the patch to the XWiki.LiveTableResultsMacros wiki page.