PT-2026-56212 · Xwiki+1 · Xwiki+1

Published

2026-07-06

·

Updated

2026-07-07

·

CVE-2026-34151

CVSS v4.0

8.2

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions xWiki versions prior to 17.10.5 xWiki versions prior to 18.2.0
Description When used with Jetty 12+, a user can craft a URL to access any resource the Jetty instance is permitted to access. This allows for the unauthorized download of sensitive files, such as the /etc/passwd file or internal configuration files like xwiki.cfg located in the WEB-INF directory. This is achieved by using encoded path traversal sequences in the URL.
Recommendations Update to version 17.10.5. Update to version 18.2.0. Use an application server other than Jetty 12+, such as Tomcat or Jetty versions prior to 12 (for XWiki versions prior to 17).

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-34151
GHSA-QJ4X-9G63-25G6

Affected Products

Jetty
Xwiki