VYPR
High severityGHSA Advisory· Published May 26, 2026· Updated May 26, 2026

XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests

CVE-2026-48048

Description

Impact

XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user.

Patches

The check for password (and email properties) has been adjusted in XWiki 18.0.0RC1, 17.10.13, 17.4.9 and 16.10.17.

Workarounds

The patch can be applied manually to the wiki page XWiki.LiveTableResultsMacros.

### Resources * https://jira.xwiki.org/browse/XWIKI-23875 * https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-livetable-uiMaven
>= 6.2.1, < 16.10.1716.10.17
org.xwiki.platform:xwiki-platform-livetable-uiMaven
>= 17.0.0-rc-1, < 17.4.917.4.9
org.xwiki.platform:xwiki-platform-livetable-uiMaven
>= 17.5.0-rc-1, < 17.10.317.10.3

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.