XWiki Commons may allow privilege escalation to programming rights via user's first name
Description
XWiki Commons 3.1-milestone-1 to 13.10.8/14.4.3 allow any user to inject and execute code with programming rights via short text fields like user profile names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XWiki Commons 3.1-milestone-1 to 13.10.8/14.4.3 allow any user to inject and execute code with programming rights via short text fields like user profile names.
Vulnerability
Overview
CVE-2023-26055 is a code injection vulnerability in XWiki Commons, affecting versions starting from 3.1-milestone-1 [1]. The root cause is insufficient escaping of short text properties when rendered. This allows any user to inject wiki macro or scripting code (e.g., Groovy) into fields such as their own first name, which is then interpreted and executed on the server [4].
Attack
Vector and Exploitation
The attack can be performed by any authenticated user with edit rights. The simplest exploit uses the user profile's first name field: setting it to a crafted payload like {{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}} causes the injected Groovy code to be executed [4]. The same technique works in any application that uses short text fields, including those created with Apps Within Minutes (AWM) [3]. No special privileges beyond standard edit rights are required.
Impact
Successful exploitation escalates privileges to programming rights, which in XWiki grants the ability to execute arbitrary server-side code, access the file system, and compromise the entire wiki instance [2][4]. The vulnerability is classified as blocker severity in XWiki's issue tracker [3].
Mitigation
The issue is patched in versions 13.10.9, 14.4.4, and 14.7RC1 [1][4]. No workarounds exist other than upgrading the affected xwiki-commons-xml JAR or applying the fix directly [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.commons:xwiki-commons-xmlMaven | >= 3.1-milestone-1, < 13.10.9 | 13.10.9 |
org.xwiki.commons:xwiki-commons-xmlMaven | >= 14.0-rc-1, < 14.4.4 | 14.4.4 |
org.xwiki.commons:xwiki-commons-xmlMaven | >= 14.5, < 14.7-rc-1 | 14.7-rc-1 |
Affected products
2- Range: >= 3.1-milestone-1, < 13.10.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of escape, meta, or control sequences in short text property rendering allows injected XWiki macros to be executed with programming rights."
Attack vector
An attacker with only edit rights sets a short text property (e.g., their first name in their profile, or a field in an AWM application) to a value containing XWiki syntax such as `{{cache}}` and `{{groovy}}` macros [ref_id=2][ref_id=3]. When the property is rendered, the injected macros are executed with programming rights instead of being displayed as escaped text [ref_id=1]. This allows the attacker to run arbitrary Groovy or Velocity code, escalating from edit privileges to full programming rights [CWE-150].
Affected code
The vulnerability resides in the short text property rendering logic within the `xwiki-commons-xml` module. The advisory [ref_id=2] identifies the package `org.xwiki.commons:xwiki-commons-xml` as the affected component. The Jira issues [ref_id=1] and [ref_id=3] show that the bug is triggered when short text fields (such as a user's first name or AWM application short text fields) are displayed without proper escaping.
What the fix does
The patch was released in versions 13.10.9, 14.4.4, and 14.7RC1 [ref_id=2]. The fix addresses the improper neutralization of escape sequences in short text properties, ensuring that user-supplied values are properly escaped before rendering so that XWiki syntax (such as `{{cache}}` and `{{groovy}}` macros) is displayed as literal text rather than being interpreted and executed. No patch diff is provided in the bundle, but the advisory [ref_id=2] states that upgrading or patching the `xwiki-commons-xml` JAR file resolves the issue.
Preconditions
- authAttacker must have edit rights on their own profile or on an AWM application entry with a short text field
- configThe short text field must have been created by a user with programming rights (for AWM applications)
- inputAttacker can inject XWiki macro syntax into the short text field value
Reproduction
1. Log in as a user without script rights. 2. Set your first name to `{{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}}` [ref_id=3]. 3. Observe that the first name is rendered as "Hello from groovy!" instead of the escaped literal text, confirming code execution with programming rights [ref_id=2].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8cw6-4r32-6r3hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26055ghsaADVISORY
- github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3hghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XCOMMONS-2498ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-19793ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-19794ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.