VYPR
Critical severityNVD Advisory· Published Jun 12, 2025· Updated Jan 12, 2026

XWiki allows SQL injection in query endpoint of REST API with Oracle

CVE-2024-56158

Description

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-oldcoreMaven
>= 1.0, < 15.10.1615.10.16
org.xwiki.platform:xwiki-platform-oldcoreMaven
>= 16.0.0-rc-1, < 16.4.716.4.7
org.xwiki.platform:xwiki-platform-oldcoreMaven
>= 16.5.0-rc-1, < 16.10.216.10.2

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.