PT-2026-56212 · Xwiki+1 · Xwiki+1
Published
2026-07-06
·
Updated
2026-07-07
·
CVE-2026-34151
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
xWiki versions prior to 17.10.5
xWiki versions prior to 18.2.0
Description
When used with Jetty 12+, a user can craft a URL to access any resource the Jetty instance is permitted to access. This allows for the unauthorized download of sensitive files, such as the
/etc/passwd file or internal configuration files like xwiki.cfg located in the WEB-INF directory. This is achieved by using encoded path traversal sequences in the URL.Recommendations
Update to version 17.10.5.
Update to version 18.2.0.
Use an application server other than Jetty 12+, such as Tomcat or Jetty versions prior to 12 (for XWiki versions prior to 17).
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jetty
Xwiki