VYPR

Xwiki

by Cryptpad

Source repositories

CVEs (11)

  • CVE-2026-33229CriApr 8, 2026
    risk 0.57cvss 9.8epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,…

  • CVE-2026-40104HigApr 15, 2026
    risk 0.46cvss 8.2epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCod…

  • CVE-2026-40105MedApr 15, 2026
    risk 0.33cvss 6.1epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the…

  • CVE-2025-51991Aug 20, 2025
    risk 0.00cvss epss 0.03

    XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity…

  • CVE-2025-51990Aug 20, 2025
    risk 0.00cvss epss 0.00

    XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript…

  • CVE-2010-4642Dec 30, 2010
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in XWiki Enterprise before 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2010-4641Dec 30, 2010
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in XWiki Enterprise before 2.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2007-4898Sep 14, 2007
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in the Multiwiki plugin in XWiki before 1.1 Enterprise RC2 allows remote authenticated users, with administrative access to one wiki in a multiwiki environment, to obtain sensitive information via unknown attack vectors. NOTE: Some of these details are…

  • CVE-2006-7223Sep 14, 2007
    risk 0.00cvss epss 0.02

    PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has…

  • CVE-2007-4888Sep 14, 2007
    risk 0.00cvss epss 0.01

    The "You are not allowed..." error handler in XWiki 1.0 B1 and 1.0 B2 associates the doc variable with the entire document content and metadata regardless of a user's view rights, which allows remote authenticated users to read arbitrary documents via a custom skin that prints…

  • CVE-2005-4862Dec 31, 2005
    risk 0.00cvss epss 0.01

    The search functionality in XWiki 0.9.793 indexes cleartext user passwords, which allows remote attackers to obtain sensitive information via a search string that matches a password.