Critical severityNVD Advisory· Published May 20, 2026· Updated May 21, 2026
CVE-2026-23734
CVE-2026-23734
Description
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.commons:xwiki-commons-classloader-apiMaven | >= 4.2-milestone-2, < 16.10.17 | 16.10.17 |
org.xwiki.commons:xwiki-commons-classloader-apiMaven | >= 17.0.0-rc-1, < 17.4.9 | 17.4.9 |
org.xwiki.commons:xwiki-commons-classloader-apiMaven | >= 17.5.0, < 17.10.3 | 17.10.3 |
org.xwiki.commons:xwiki-commons-classloader-apiMaven | >= 18.0.0-rc-1, < 18.1.0-rc-1 | 18.1.0-rc-1 |
Affected products
2- Range: < 16.10.17, < 17.4.9, < 17.10.3, < 18.1.0-rc-1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xq3r-2qv5-vqqmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23734ghsaADVISORY
- github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bfnvdWEB
- github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqmnvdWEB
- jira.xwiki.org/browse/XCOMMONS-3547nvdWEB
News mentions
0No linked articles in our index yet.