VYPR
Critical severityNVD Advisory· Published May 20, 2026· Updated May 21, 2026

CVE-2026-23734

CVE-2026-23734

Description

XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.commons:xwiki-commons-classloader-apiMaven
>= 4.2-milestone-2, < 16.10.1716.10.17
org.xwiki.commons:xwiki-commons-classloader-apiMaven
>= 17.0.0-rc-1, < 17.4.917.4.9
org.xwiki.commons:xwiki-commons-classloader-apiMaven
>= 17.5.0, < 17.10.317.10.3
org.xwiki.commons:xwiki-commons-classloader-apiMaven
>= 18.0.0-rc-1, < 18.1.0-rc-118.1.0-rc-1

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.