Arbitrary file deletion on logout
Description
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache JSPWiki up to 2.11.0.M8 allows remote arbitrary file deletion via crafted logout request.
Vulnerability
Apache JSPWiki versions up to and including 2.11.0.M8 contain an arbitrary file deletion vulnerability in the logout functionality. By sending a specially crafted HTTP request during the logout process, a remote attacker can delete files on the server that are reachable by the user account running the JSPWiki instance. The vulnerability affects all JSPWiki deployments prior to version 2.11.0 [1] [3].
Exploitation
An attacker does not need prior authentication; a crafted HTTP request to the logout endpoint is sufficient. The attacker must craft a request that includes a file path parameter pointing to a target file on the server. No user interaction beyond the attacker sending the request is required, and there is no race condition. The attack can be performed remotely over the network [1] [3].
Impact
Successful exploitation allows the attacker to delete arbitrary files on the server filesystem, limited only by the permissions of the user running the JSPWiki instance. This could lead to denial of service, data loss, or potentially assist in further compromise if critical files (e.g., configuration files, application binaries) are removed [1] [3].
Mitigation
Users should upgrade to Apache JSPWiki version 2.11.0 or later, which contains the fix for this vulnerability [1] [3]. The vendor has not disclosed a specific workaround for unpatched installations. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-mainMaven | < 2.11.0 | 2.11.0 |
Affected products
2- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-8gw6-w5rw-4g5cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44140ghsaADVISORY
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_MISCWEB
- lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011tghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.