Cryptpad
Products
35- 230 CVEs
- 11 CVEs
- 9 CVEs
- 7 CVEs
- 6 CVEs
- 6 CVEs
- 4 CVEs
- 4 CVEs
- 4 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 0 CVEs
- 0 CVEs
- 0 CVEs
- 0 CVEs
- 0 CVEs
- 0 CVEs
- 0 CVEs
- 0 CVEs
- 0 CVEs
- 0 CVEs
- 0 CVEs
- View all 35 products →
Recent CVEs
286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-55730 | Cri | 0.58 | 10.0 | 0.01 | Sep 9, 2025 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can… | ||
| CVE-2025-55729 | Cri | 0.58 | 10.0 | 0.01 | Sep 9, 2025 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can… | ||
| CVE-2026-33229 | Cri | 0.57 | 9.8 | 0.01 | Apr 8, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,… | ||
| CVE-2026-23734 | Cri | 0.55 | — | 0.20 | May 20, 2026 | XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path… | ||
| CVE-2025-52472 | Cri | 0.54 | — | 0.02 | Oct 6, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The… | ||
| CVE-2026-33137 | Cri | 0.53 | — | 0.01 | May 20, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes… | ||
| CVE-2025-66024 | Cri | 0.52 | 9.0 | 0.00 | Mar 4, 2026 | The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML… | ||
| CVE-2025-27603 | Cri | 0.52 | 9.1 | 0.01 | Mar 7, 2025 | XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability… | ||
| CVE-2024-30263 | Hig | 0.50 | 7.7 | 0.01 | Apr 4, 2024 | macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted… | ||
| CVE-2026-40104 | Hig | 0.46 | 8.2 | 0.00 | Apr 15, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCod… | ||
| CVE-2025-51846 | Hig | 0.42 | 7.5 | 0.01 | Apr 30, 2026 | CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2. | ||
| CVE-2017-1000051 | Med | 0.40 | 6.1 | 0.01 | Jul 17, 2017 | Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content | ||
| CVE-2026-48048 | hig | 0.39 | — | 0.00 | May 26, 2026 | ### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be… | ||
| CVE-2025-52133 | Med | 0.35 | 6.4 | 0.00 | Aug 3, 2025 | The Mocca Calendar application before 2.15 for XWiki allows XSS via a title upon calendar import. | ||
| CVE-2025-52132 | Med | 0.35 | 6.4 | 0.00 | Aug 3, 2025 | The Mocca Calendar application before 2.15 for XWiki allows XSS via a title to the view event page. | ||
| CVE-2025-52131 | Med | 0.35 | 6.4 | 0.00 | Aug 3, 2025 | The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field. | ||
| CVE-2026-26028 | Med | 0.33 | 6.1 | 0.00 | May 20, 2026 | CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of , , and… | ||
| CVE-2026-40105 | Med | 0.33 | 6.1 | 0.01 | Apr 15, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the… | ||
| CVE-2025-48885 | Med | 0.30 | — | 0.00 | May 30, 2025 | application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to… | ||
| CVE-2025-54990 | Med | 0.27 | 5.3 | 0.00 | Nov 18, 2025 | XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is… |
- risk 0.58cvss 10.0epss 0.01
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can…
- risk 0.58cvss 10.0epss 0.01
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can…
- risk 0.57cvss 9.8epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,…
- risk 0.55cvss —epss 0.20
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path…
- risk 0.54cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The…
- risk 0.53cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes…
- risk 0.52cvss 9.0epss 0.00
The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML…
- risk 0.52cvss 9.1epss 0.01
XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability…
- risk 0.50cvss 7.7epss 0.01
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted…
- risk 0.46cvss 8.2epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCod…
- risk 0.42cvss 7.5epss 0.01
CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content
- risk 0.39cvss —epss 0.00
### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be…
- risk 0.35cvss 6.4epss 0.00
The Mocca Calendar application before 2.15 for XWiki allows XSS via a title upon calendar import.
- risk 0.35cvss 6.4epss 0.00
The Mocca Calendar application before 2.15 for XWiki allows XSS via a title to the view event page.
- risk 0.35cvss 6.4epss 0.00
The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field.
- risk 0.33cvss 6.1epss 0.00
CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of , , and…
- risk 0.33cvss 6.1epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the…
- risk 0.30cvss —epss 0.00
application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to…
- risk 0.27cvss 5.3epss 0.00
XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is…