Medium severity6.1NVD Advisory· Published Apr 15, 2026· Updated Apr 23, 2026

CVE-2026-40105

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-web-templatesMaven	>= 10.4-rc-1, < 16.10.16	16.10.16
org.xwiki.platform:xwiki-platform-web-templatesMaven	>= 17.0.0-rc-1, < 17.4.8	17.4.8
org.xwiki.platform:xwiki-platform-web-templatesMaven	>= 17.5.0-rc-1, < 17.10.1	17.10.1

Affected products

Xwiki/Xwiki
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Range: >=10.4,<16.10.16

Patches

3c8a2ec98564

XWIKI-23472: URL generation in the changes view is broken

https://github.com/xwiki/xwiki-platformMichael HamannDec 2, 2025via ghsa

commit

2 files changed · +177 −8

xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/changesdoc.vm+16 −8 modified

@@ -23,44 +23,52 @@
 ##
 
 #if ("$!previousOrigdocVersion" != '')
-  #set ($changesLink = ${xwiki.getURL($tdoc, 'view', "viewer=changes&rev1=${previousOrigdocVersion}&rev2=${rev2}")})
+  #set ($changesLink = ${xwiki.getURL($tdoc, 'view',
+    $escapetool.url({'viewer': 'changes', 'rev1': $previousOrigdocVersion, 'rev2': $rev2}))})
   #set ($changesTitle = $escapetool.xml($services.localization.render('core.viewers.diff.previousVersion.origin', [${previousOrigdocVersion}])))
   #set ($previousOrigdocLink = "<a class='btn btn-default changes-arrow' href='$changesLink' title='$changesTitle'>$services.icon.renderHTML('left')</a>")
 #end
 #if ("$!nextOrigdocVersion" != '')
-  #set ($changesLink = ${xwiki.getURL($tdoc, 'view', "viewer=changes&rev1=${nextOrigdocVersion}&rev2=${rev2}")})
+  #set ($changesLink = ${xwiki.getURL($tdoc, 'view',
+    $escapetool.url({'viewer': 'changes', 'rev1': $nextOrigdocVersion, 'rev2': $rev2}))})
   #set ($changesTitle = $escapetool.xml($services.localization.render('core.viewers.diff.nextVersion.origin', [${nextOrigdocVersion}])))
   #set ($nextOrigdocLink = "<a class='btn btn-default changes-arrow' href='$changesLink' title='$changesTitle'>$services.icon.renderHTML('right')</a>")
 #end
 #if ("$!previousNewdocVersion" != '')
-  #set ($changesLink = ${xwiki.getURL($tdoc, 'view', "viewer=changes&rev1=${rev1}&rev2=${previousNewdocVersion}")})
+  #set ($changesLink = ${xwiki.getURL($tdoc, 'view',
+    $escapetool.url({'viewer': 'changes', 'rev1': $rev1, 'rev2': $previousNewdocVersion}))})
   #set ($changesTitle = $escapetool.xml($services.localization.render('core.viewers.diff.previousVersion.target', [${previousNewdocVersion}])))
   #set ($previousNewdocLink = "<a class='btn btn-default changes-arrow' href='$changesLink' title='$changesTitle'>$services.icon.renderHTML('left')</a>")
 #end
 #if ("$!nextNewdocVersion" != '')
-  #set ($changesLink = ${xwiki.getURL($tdoc, 'view', "viewer=changes&rev1=${rev1}&rev2=${nextNewdocVersion}")})
+  #set ($changesLink = ${xwiki.getURL($tdoc, 'view',
+    $escapetool.url({'viewer': 'changes', 'rev1': $rev1, 'rev2': $nextNewdocVersion}))})
   #set ($changesTitle = $escapetool.xml($services.localization.render('core.viewers.diff.nextVersion.target', [${nextNewdocVersion}])))
   #set ($nextNewdocLink = "<a class='btn btn-default changes-arrow' href='$changesLink' title='$changesTitle'>$services.icon.renderHTML('right')</a>")
 #end
 ## Display the previous change arrow only if there is a previous version of the original document and there is no extension version
 #if ("$!previousOrigdocVersion" != '' && "$!previousNewdocVersion" != '')
   ## Keep the reverse navigation order in case the original document version is greater than the version of the new document
   #if ($origdoc.RCSVersion.isLessOrEqualThan($newdoc.RCSVersion))
-    #set ($previousLink = ${xwiki.getURL($tdoc, 'view', "viewer=changes&rev1=${previousOrigdocVersion}&rev2=${rev1}")})
+    #set ($previousLink = ${xwiki.getURL($tdoc, 'view',
+      $escapetool.url({'viewer': 'changes', 'rev1': $previousOrigdocVersion, 'rev2': $rev1}))})
     #set ($previousLabel = $escapetool.xml($services.localization.render('core.viewers.diff.change', [$previousOrigdocVersion,$rev1])))
   #else
-    #set ($previousLink = ${xwiki.getURL($tdoc, 'view', "viewer=changes&rev1=${rev2}&rev2=${previousNewdocVersion}")})
+    #set ($previousLink = ${xwiki.getURL($tdoc, 'view',
+      $escapetool.url({'viewer': 'changes', 'rev1': $rev2, 'rev2': $previousNewdocVersion}))})
     #set ($previousLabel = $escapetool.xml($services.localization.render('core.viewers.diff.change', [$rev2, $previousNewdocVersion])))
   #end
 #end
 ## Display the next change arrow only if there is a next version of the new document and there is no extension version
 #if ("$!nextOrigdocVersion" != '' && "$!nextNewdocVersion" != '')
   ## Keep the reverse navigation order in case the original document version is greater than the version of the new document
   #if ($origdoc.RCSVersion.isLessOrEqualThan($newdoc.RCSVersion))
-    #set ($nextLink = ${xwiki.getURL($tdoc, 'view', "viewer=changes&rev1=${rev2}&rev2=${nextNewdocVersion}")})
+    #set ($nextLink = ${xwiki.getURL($tdoc, 'view',
+      $escapetool.url({'viewer': 'changes', 'rev1': $rev2, 'rev2': $nextNewdocVersion}))})
     #set ($nextLabel = $escapetool.xml($services.localization.render('core.viewers.diff.change', [$rev2, $nextNewdocVersion])))
   #else
-    #set ($nextLink = ${xwiki.getURL($tdoc, 'view', "viewer=changes&rev1=${nextOrigdocVersion}&rev2=${rev1}")})
+    #set ($nextLink = ${xwiki.getURL($tdoc, 'view',
+      $escapetool.url({'viewer': 'changes', 'rev1': $nextOrigdocVersion, 'rev2': $rev1}))})
     #set ($nextLabel = $escapetool.xml($services.localization.render('core.viewers.diff.change', [$nextOrigdocVersion, $rev1])))
   #end
 #end

xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/test/java/org/xwiki/web/ChangesPageTest.java+161 −0 added

@@ -0,0 +1,161 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.web;
+
+import org.apache.commons.lang3.Strings;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.xwiki.model.reference.DocumentReference;
+import org.xwiki.rendering.syntax.Syntax;
+import org.xwiki.template.TemplateManager;
+import org.xwiki.test.junit5.mockito.MockComponent;
+import org.xwiki.test.page.PageTest;
+
+import com.xpn.xwiki.criteria.impl.XWikiCriteriaServiceImpl;
+import com.xpn.xwiki.doc.DocumentRevisionProvider;
+import com.xpn.xwiki.doc.XWikiDocument;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
+
+/**
+ * Tests the {@code changes.vm} template.
+ *
+ * @version $Id$
+ */
+class ChangesPageTest extends PageTest
+{
+    private static final String CHANGES_VM = "changes.vm";
+
+    private static final String INVALID_REVISION = "xar:'>Invalid<'";
+
+    private static final String ENCODED_INVALID_REVISION = "xar%3A%27%3EInvalid%3C%27";
+
+    private static final DocumentReference DOCUMENT_REFERENCE = new DocumentReference("xwiki", "TestSpace", "TestPage");
+
+    private TemplateManager templateManager;
+
+    @MockComponent
+    private DocumentRevisionProvider documentRevisionProvider;
+
+    @BeforeEach
+    void setUp() throws Exception
+    {
+        this.templateManager = this.oldcore.getMocker().getInstance(TemplateManager.class);
+
+        this.xwiki.setCriteriaService(new XWikiCriteriaServiceImpl(this.context));
+
+        // Create several revisions of the document for testing
+        createDocumentRevisions();
+
+        // Set up the current doc in the context so that $doc is bound in scripts
+        this.context.setDoc(this.xwiki.getDocument(DOCUMENT_REFERENCE, this.context));
+
+        // Get the mock database revision provider that was set up by MockitoOldcore.
+        DocumentRevisionProvider databaseRevisionProvider =
+            this.oldcore.getMocker().getInstance(DocumentRevisionProvider.class, "database");
+
+        // Mock the default revision provider to handle xar: revision numbers for the test document.
+        when(this.documentRevisionProvider.getRevision(any(DocumentReference.class), anyString()))
+            .thenAnswer(invocation -> {
+                DocumentReference reference = invocation.getArgument(0);
+                String revision = invocation.getArgument(1);
+                if (Strings.CS.startsWith(revision, "xar:")
+                    && DOCUMENT_REFERENCE.equals(reference.withoutLocale())) {
+                    return this.context.getDoc();
+                }
+                return databaseRevisionProvider.getRevision(reference, revision);
+            });
+    }
+
+    private void createDocumentRevisions() throws Exception
+    {
+        XWikiDocument document = new XWikiDocument(DOCUMENT_REFERENCE);
+        document.setSyntax(Syntax.XWIKI_2_1);
+        document.setTitle("Test Page for Changes");
+
+        // Revision 1.1.
+        document.setContent("Initial content");
+        document.setComment("Initial version");
+        this.xwiki.saveDocument(document, this.context);
+
+        // Revision 2.1.
+        document.setContent("Initial content\nSecond line");
+        document.setComment("Added second line");
+        this.xwiki.saveDocument(document, this.context);
+
+        // Revision 3.1.
+        document.setContent("Initial content\nSecond line\nThird line");
+        document.setComment("Added third line");
+        this.xwiki.saveDocument(document, this.context);
+
+        // Revision 4.1.
+        document.setContent("Initial content\nSecond line\nFourth line");
+        document.setComment("Added fourth line");
+        this.xwiki.saveDocument(document, this.context);
+    }
+
+    @Test
+    void renderChangesTemplateWithBasicParameters() throws Exception
+    {
+        this.stubRequest.put("rev1", "1.1");
+        this.stubRequest.put("rev2", "2.1");
+
+        String result = this.templateManager.render(CHANGES_VM);
+
+        assertTrue(result.contains("document-title"));
+        assertTrue(result.contains("Test Page for Changes"));
+    }
+
+    @Test
+    void renderChangesTemplateWithInvalidRev2Parameters() throws Exception
+    {
+        // Set up request parameters for changes view with invalid revision numbers
+        this.stubRequest.put("rev1", "2.1");
+        this.stubRequest.put("rev2", INVALID_REVISION);
+
+        String result = this.templateManager.render(CHANGES_VM);
+
+        // Verify that the revision has been sanitized.
+        assertThat(result, not(containsString(INVALID_REVISION)));
+        // Verify that the URL-escaped revision is present in the result.
+        assertThat(result, containsString(ENCODED_INVALID_REVISION));
+    }
+
+    @Test
+    void renderChangesTemplateWithInvalidRev1Parameters() throws Exception
+    {
+        // Set up request parameters for changes view with invalid revision numbers
+        this.stubRequest.put("rev1", INVALID_REVISION);
+        this.stubRequest.put("rev2", "3.1");
+
+        String result = this.templateManager.render(CHANGES_VM);
+
+        // Verify that the revision has been sanitized.
+        assertThat(result, not(containsString(INVALID_REVISION)));
+        // Verify that the URL-escaped revision is present in the result.
+        assertThat(result, containsString(ENCODED_INVALID_REVISION));
+    }
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788cnvdPatchWEB
github.com/advisories/GHSA-w4fj-87j5-f25cghsaADVISORY
github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25cnvdVendor AdvisoryWEB
jira.xwiki.org/browse/XWIKI-23472nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-40105ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000