VYPR
Moderate severityGHSA Advisory· Published May 26, 2026

XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin

CVE-2026-48047

Description

Impact

A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requires that the attacker already has admin access to at least a subwiki to be able to install a malicious extension. Further, the attacker needs to publish a malicious extension in an extension repository that is configured in the instance.

Patches

This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, and 18.0.0RC1.

Workarounds

XWiki is not aware of any workarounds except for being careful whom developers grant script and admin rights to.

### Resources * https://jira.xwiki.org/browse/XWIKI-23902 * https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-webjars-apiMaven
>= 9.6-rc-1, < 16.10.1716.10.17
org.xwiki.platform:xwiki-platform-webjars-apiMaven
>= 17.0.0-rc-1, < 17.4.917.4.9
org.xwiki.platform:xwiki-platform-webjars-apiMaven
>= 17.5.0-rc-1, < 17.10.317.10.3

Affected products

1

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.