XSS vulnerability on XHRHtml2Markup.jsp in JSPWiki 2.11.2
Description
A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted request on XHRHtml2Markup.jsp in Apache JSPWiki ≤2.11.2 enables stored XSS, allowing attacker JavaScript execution in a victim's browser.
Vulnerability
CVE-2022-27166 is a cross-site scripting (XSS) vulnerability in Apache JSPWiki up to and including version 2.11.2. The issue resides in XHRHtml2Markup.jsp, where a carefully crafted request fails to properly sanitize user input. An attacker can inject malicious scripts that are then reflected or stored and executed in the context of the victim's session [1].
Exploitation
Exploitation requires no elevated privileges; any user capable of sending requests to the wiki application can trigger the vulnerable endpoint. The attack surface is the wiki's interface, and no authentication is strictly necessary if the application allows anonymous access. The crafted input is processed by XHRHtml2Markup.jsp without adequate output encoding, leading to script injection [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of sensitive information such as session cookies, authentication tokens, or personal data displayed on the page. The attacker may also perform actions on behalf of the victim, such as modifying wiki content or performing administrative actions if the victim has elevated privileges [1].
Mitigation
The Apache JSPWiki project has addressed this vulnerability in version 2.11.3. Users are advised to upgrade to this or a later release. No official workaround is documented; however, restricting network access to the JSPWiki application can reduce exposure. The vulnerability is not known to be exploited in the wild as of the publication date [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-mainMaven | < 2.11.3 | 2.11.3 |
Affected products
2- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2fxf-qj94-3f83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-27166ghsaADVISORY
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.