Maven package

org.xwiki.platform/xwiki-platform-oldcore

pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Vulnerabilities (45)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-40104	Hig	8.2	>= 1.8-rc-1, < 16.10.16	16.10.16	Apr 15, 2026	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCod
CVE-2026-33229	Cri	9.8	>= 17.0.0-rc-1, < 17.4.8	17.4.8	Apr 8, 2026	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,
CVE-2025-54125		—	>= 1.1, < 16.4.7	16.4.7	Aug 5, 2025	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in
CVE-2025-54124		—	>= 9.8-rc-1, < 16.4.7	16.4.7	Aug 5, 2025	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing
CVE-2025-54385		—	>= 1.0, < 16.10.6	16.10.6	Jul 26, 2025	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUE
CVE-2025-49586		—	>= 7.2-milestone-2, < 16.4.7	16.4.7	Jun 13, 2025	XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed
CVE-2024-56158		—	>= 1.0, < 15.10.16	15.10.16	Jun 12, 2025	XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function i
CVE-2025-32968		—	>= 1.6-milestone-1, < 15.10.16	15.10.16	Apr 23, 2025	XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the d
CVE-2024-43400		—	>= 1.1.2, < 14.10.21	14.10.21	Aug 19, 2024	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to fo
CVE-2024-37898		—	>= 13.10.4, < 14.10.21	14.10.21	Jul 31, 2024	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous v
CVE-2024-37899		—	>= 13.4.7, < 14.10.21	14.10.21	Jun 20, 2024	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an
CVE-2024-31987		—	>= 6.4-milestone-1, < 14.10.19	14.10.19	Apr 10, 2024	XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus
CVE-2024-31981		—	>= 3.0.1, < 14.10.20	14.10.20	Apr 10, 2024	XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, remote code execution is possible via PDF export templates. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1. If PDF templates a
CVE-2024-31464		—	>= 5.0-rc-1, < 14.10.19	14.10.19	Apr 10, 2024	XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.19, 15.5.4, and 15.9-rc-1, it is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that
CVE-2024-21648		—	>= 1.0, < 14.10.17	14.10.17	Jan 8, 2024	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The rollback action is missing a right protection, a user can rollback to a previous version of the page to gain rights they don't have anymore. The problem has been patched i
CVE-2023-46243		—	>= 15.0, < 15.2-rc-1	15.2-rc-1	Nov 7, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafte
CVE-2023-46242		—	>= 1.0, < 14.10.7	14.10.7	Nov 7, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulner
CVE-2023-37911		—	>= 9.4-rc-1, < 14.10.8	14.10.8	Oct 25, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-c
CVE-2023-41046		—	>= 7.2, < 14.10.10	14.10.10	Sep 1, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "Veloc
CVE-2023-40572		—	>= 3.2-milestone-3, < 14.10.9	14.10.9	Aug 24, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the con

CVE-2026-40104HigApr 15, 2026
affected >= 1.8-rc-1, < 16.10.16fixed 16.10.16
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCod
CVE-2026-33229CriApr 8, 2026
affected >= 17.0.0-rc-1, < 17.4.8fixed 17.4.8
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,
CVE-2025-54125Aug 5, 2025
affected >= 1.1, < 16.4.7fixed 16.4.7
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in
CVE-2025-54124Aug 5, 2025
affected >= 9.8-rc-1, < 16.4.7fixed 16.4.7
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing
CVE-2025-54385Jul 26, 2025
affected >= 1.0, < 16.10.6fixed 16.10.6
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUE
CVE-2025-49586Jun 13, 2025
affected >= 7.2-milestone-2, < 16.4.7fixed 16.4.7
XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed
CVE-2024-56158Jun 12, 2025
affected >= 1.0, < 15.10.16fixed 15.10.16
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function i
CVE-2025-32968Apr 23, 2025
affected >= 1.6-milestone-1, < 15.10.16fixed 15.10.16
XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the d
CVE-2024-43400Aug 19, 2024
affected >= 1.1.2, < 14.10.21fixed 14.10.21
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to fo
CVE-2024-37898Jul 31, 2024
affected >= 13.10.4, < 14.10.21fixed 14.10.21
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous v
CVE-2024-37899Jun 20, 2024
affected >= 13.4.7, < 14.10.21fixed 14.10.21
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an
CVE-2024-31987Apr 10, 2024
affected >= 6.4-milestone-1, < 14.10.19fixed 14.10.19
XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus
CVE-2024-31981Apr 10, 2024
affected >= 3.0.1, < 14.10.20fixed 14.10.20
XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, remote code execution is possible via PDF export templates. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1. If PDF templates a
CVE-2024-31464Apr 10, 2024
affected >= 5.0-rc-1, < 14.10.19fixed 14.10.19
XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.19, 15.5.4, and 15.9-rc-1, it is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that
CVE-2024-21648Jan 8, 2024
affected >= 1.0, < 14.10.17fixed 14.10.17
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The rollback action is missing a right protection, a user can rollback to a previous version of the page to gain rights they don't have anymore. The problem has been patched i
CVE-2023-46243Nov 7, 2023
affected >= 15.0, < 15.2-rc-1fixed 15.2-rc-1
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafte
CVE-2023-46242Nov 7, 2023
affected >= 1.0, < 14.10.7fixed 14.10.7
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulner
CVE-2023-37911Oct 25, 2023
affected >= 9.4-rc-1, < 14.10.8fixed 14.10.8
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-c
CVE-2023-41046Sep 1, 2023
affected >= 7.2, < 14.10.10fixed 14.10.10
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "Veloc
CVE-2023-40572Aug 24, 2023
affected >= 3.2-milestone-3, < 14.10.9fixed 14.10.9
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the con

Page 1 of 3