HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml
Description
XWiki's HTML sanitizer allowed form tags, enabling phishing and RCE via crafted input in sheets, patched in 14.10.6 and 15.2RC1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XWiki's HTML sanitizer allowed form tags, enabling phishing and RCE via crafted input in sheets, patched in 14.10.6 and 15.2RC1.
Vulnerability
The HTML sanitizer included in XWiki since version 14.6RC1 incorrectly allowed `, , and other form-related HTML tags [1]. This was due to an overly permissive allowlist that did not restrict these tags in the HTMLDefinitions.java` file [2]. The oversight meant users without script rights could inject interactive form elements into pages or sheets.
Exploitation
An attacker with edit rights but no script or programming rights could modify a sheet's content to include a hidden input element that carries a malicious payload, such as a Groovy script [3]. When an administrator subsequently edits a document using that sheet, the injected input becomes part of the edit form [4]. If the admin submits the form (even inadvertently, as the form might appear normal or the admin may be tricked into saving), the attacker's code executes [1]. The attack can also be adapted to create fake login forms for phishing, again targeting administrators or other users with higher privileges [3].
Impact
Successful exploitation allows an attacker without script rights to achieve remote code execution (RCE) with the privileges of the victim—typically an administrator—leading to full compromise of the XWiki instance [4]. Alternatively, phishing forms could steal credentials. The attack's complexity is mitigated by the need for the attacker to craft a plausible-looking edit form and rely on admin interaction, but the impact is severe [1].
Mitigation
The vulnerability is fixed in XWiki Commons versions 14.10.6 and 15.2RC1 by removing form-related tags (form, input, select, textarea, button) from the sanitizer's allowed set [2][4]. As a workaround, administrators can manually forbid these tags by adding them to the xml.htmlElementSanitizer.forbidTags configuration option in xwiki.properties [1][4]. Users are strongly advised to upgrade to a patched version.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.commons:xwiki-commons-xmlMaven | >= 14.6-rc-1, < 14.10.6 | 14.10.6 |
org.xwiki.commons:xwiki-commons-xmlMaven | >= 15.0-rc-1, < 15.2-rc-1 | 15.2-rc-1 |
Affected products
2- Range: >= 14.6-rc-1, < 14.10.6
Patches
199484d48e899XCOMMONS-2634: Disallow form-related tags in HTML sanitizer
2 files changed · +14 −5
xwiki-commons-core/xwiki-commons-xml/src/main/java/org/xwiki/xml/internal/html/HTMLDefinitions.java+6 −5 modified@@ -60,16 +60,17 @@ public class HTMLDefinitions */ public HTMLDefinitions() { + // Compared to DOMPurify, this disallows form-related tags as they can be dangerous in the context of XWiki. this.htmlTags = new HashSet<>( Arrays.asList("a", "abbr", "acronym", "address", "area", "article", "aside", "audio", "b", "bdi", "bdo", - "big", "blink", "blockquote", "body", "br", "button", "canvas", "caption", "center", "cite", "code", + "big", "blink", "blockquote", "body", "br", "canvas", "caption", "center", "cite", "code", "col", "colgroup", "content", "data", "datalist", "dd", "decorator", "del", "details", "dfn", "dialog", - "dir", "div", "dl", "dt", "element", "em", "fieldset", "figcaption", "figure", "font", "footer", "form", - "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "img", "input", + "dir", "div", "dl", "dt", "element", "em", "fieldset", "figcaption", "figure", "font", "footer", + "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "img", "ins", "kbd", "label", "legend", "li", "main", "map", "mark", "marquee", "menu", "menuitem", "meter", "nav", "nobr", "ol", "optgroup", "option", "output", "p", "picture", "pre", "progress", "q", "rp", "rt", - "ruby", "s", "samp", "section", "select", "shadow", "small", "source", "spacer", "span", "strike", - "strong", "style", "sub", "summary", "sup", "table", "tbody", "td", "template", "textarea", "tfoot", + "ruby", "s", "samp", "section", "shadow", "small", "source", "spacer", "span", "strike", + "strong", "style", "sub", "summary", "sup", "table", "tbody", "td", "template", "tfoot", "th", "thead", "time", "tr", "track", "tt", "u", "ul", "var", "video", "wbr")); // Attributes that are in general allowed. Note that "target" is not generally safe, but XWiki contains code
xwiki-commons-core/xwiki-commons-xml/src/test/java/org/xwiki/xml/internal/html/SecureHTMLElementSanitizerTest.java+8 −0 modified@@ -25,6 +25,7 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.CsvSource; +import org.junit.jupiter.params.provider.ValueSource; import org.xwiki.test.annotation.BeforeComponent; import org.xwiki.test.annotation.ComponentList; import org.xwiki.test.junit5.mockito.ComponentTest; @@ -88,6 +89,13 @@ void forbiddenTags() assertFalse(this.secureHTMLElementSanitizer.isElementAllowed(HTMLConstants.TAG_A)); } + @ParameterizedTest + @ValueSource(strings = { "form", "input", "select", "textarea", "button" }) + void formTags(String tagName) + { + assertFalse(this.secureHTMLElementSanitizer.isElementAllowed(tagName)); + } + @Test void forbiddenAttributes() {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6pqf-c99p-758vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36471ghsaADVISORY
- github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758vghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XCOMMONS-2634ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.