VYPR
Vendor

Cryptpad

Products
35
CVEs
286
Across products
295
Status
Private

Products

35
View all 35 products →

Recent CVEs

286
View all 286 CVEs →
  • CVE-2025-55730CriSep 9, 2025
    risk 0.58cvss 10.0epss 0.01

    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can…

  • CVE-2025-55729CriSep 9, 2025
    risk 0.58cvss 10.0epss 0.01

    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can…

  • CVE-2026-33229CriApr 8, 2026
    risk 0.57cvss 9.8epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,…

  • CVE-2026-23734CriMay 20, 2026
    risk 0.55cvss epss 0.20

    XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path…

  • CVE-2025-52472CriOct 6, 2025
    risk 0.54cvss epss 0.02

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The…

  • CVE-2026-33137CriMay 20, 2026
    risk 0.53cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes…

  • CVE-2025-66024CriMar 4, 2026
    risk 0.52cvss 9.0epss 0.00

    The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML…

  • CVE-2025-27603CriMar 7, 2025
    risk 0.52cvss 9.1epss 0.01

    XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability…

  • CVE-2024-30263HigApr 4, 2024
    risk 0.50cvss 7.7epss 0.01

    macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted…

  • CVE-2026-40104HigApr 15, 2026
    risk 0.46cvss 8.2epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCod…

  • CVE-2025-51846HigApr 30, 2026
    risk 0.42cvss 7.5epss 0.01

    CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.

  • CVE-2017-1000051MedJul 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content

  • CVE-2026-48048higMay 26, 2026
    risk 0.39cvss epss 0.00

    ### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be…

  • CVE-2025-52133MedAug 3, 2025
    risk 0.35cvss 6.4epss 0.00

    The Mocca Calendar application before 2.15 for XWiki allows XSS via a title upon calendar import.

  • CVE-2025-52132MedAug 3, 2025
    risk 0.35cvss 6.4epss 0.00

    The Mocca Calendar application before 2.15 for XWiki allows XSS via a title to the view event page.

  • CVE-2025-52131MedAug 3, 2025
    risk 0.35cvss 6.4epss 0.00

    The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field.

  • CVE-2026-26028MedMay 20, 2026
    risk 0.33cvss 6.1epss 0.00

    CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of , , and…

  • CVE-2026-40105MedApr 15, 2026
    risk 0.33cvss 6.1epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the…

  • CVE-2025-48885MedMay 30, 2025
    risk 0.30cvss epss 0.00

    application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to…

  • CVE-2025-54990MedNov 18, 2025
    risk 0.27cvss 5.3epss 0.00

    XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is…