Critical severityNVD Advisory· Published Mar 2, 2023· Updated Mar 5, 2025

XWiki Platform vulnerable to Remote Code Execution in Annotations

CVE-2023-26475

Description

XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-annotation-uiMaven	>= 2.3-milestone-1, < 13.10.11	13.10.11
org.xwiki.platform:xwiki-platform-annotation-uiMaven	>= 14.0-rc-1, < 14.4.7	14.4.7
org.xwiki.platform:xwiki-platform-annotation-uiMaven	>= 14.5, < 14.10	14.10

Affected products

Xwiki/Xwiki Platformv5
Range: >= 2.3-milestone-1, < 13.10.11

Patches

d87d7bfd8db1

XWIKI-20384: Use the new textarea restricted setup in comments

https://github.com/xwiki/xwiki-platformThomas MortagneNov 18, 2022via ghsa

commit

1 file changed · +1 −1

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/internal/mandatory/XWikiCommentsDocumentInitializer.java

+1 −1 modified

@@ -87,7 +87,7 @@ protected void createClass(BaseClass xclass)
         xclass.addNumberField("replyto", "Reply To", 5, "integer");
 
         String commentPropertyName = "comment";
-        xclass.addTextAreaField(commentPropertyName, "Comment", 40, 5);
+        xclass.addTextAreaField(commentPropertyName, "Comment", 40, 5, true);
 
         // FIXME: Ensure that the comment text editor is set to its default value after an upgrade. This should be
         // handled in a cleaner way in BaseClass#addTextAreaField. See: https://jira.xwiki.org/browse/XWIKI-17605

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h6f5-8jj5-cxhrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-26475ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhrghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-20360ghsax_refsource_MISCWEB
jira.xwiki.org/browse/XWIKI-20384ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.028
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000