CVE-2026-24128

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 7.0-milestone-2 through 16.10.11 XWiki Platform versions 17.0.0-rc-1 through 17.4.4 XWiki Platform versions 17.5.0-rc-1 through 17.7.0

Description The XWiki Platform contains a reflected Cross-site Scripting (XSS) issue. This allows an attacker to create a malicious URL that, when visited by a victim, can execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, an attacker could gain full access to the XWiki installation. The issue resides in the platform's logging infrastructure, allowing attackers to inject malicious scripts via crafted extension identifiers.

Recommendations XWiki Platform versions 7.0-milestone-2 through 16.10.11: Update to version 16.10.12 or later. XWiki Platform versions 17.0.0-rc-1 through 17.4.4: Update to version 17.4.5 or later. XWiki Platform versions 17.5.0-rc-1 through 17.7.0: Update to version 17.8.0-rc-1 or later. As a workaround, manually apply the patch by changing a single line in the templates/logging macros.vm file. No restart is required.