VYPR

Vendor CVEs

Cryptpad

All CVEs

286 total · sorted by risk
  • CVE-2025-55730CriSep 9, 2025
    risk 0.58cvss 10.0epss 0.01

    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can…

  • CVE-2025-55729CriSep 9, 2025
    risk 0.58cvss 10.0epss 0.01

    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can…

  • CVE-2026-33229CriApr 8, 2026
    risk 0.57cvss 9.8epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,…

  • CVE-2026-23734CriMay 20, 2026
    risk 0.55cvss epss 0.20

    XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path…

  • CVE-2025-52472CriOct 6, 2025
    risk 0.54cvss epss 0.02

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The…

  • CVE-2026-33137CriMay 20, 2026
    risk 0.53cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes…

  • CVE-2025-66024CriMar 4, 2026
    risk 0.52cvss 9.0epss 0.00

    The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML…

  • CVE-2025-27603CriMar 7, 2025
    risk 0.52cvss 9.1epss 0.01

    XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability…

  • CVE-2024-30263HigApr 4, 2024
    risk 0.50cvss 7.7epss 0.01

    macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted…

  • CVE-2026-40104HigApr 15, 2026
    risk 0.46cvss 8.2epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCod…

  • CVE-2025-51846HigApr 30, 2026
    risk 0.42cvss 7.5epss 0.01

    CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.

  • CVE-2017-1000051MedJul 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content

  • CVE-2026-48048higMay 26, 2026
    risk 0.39cvss epss 0.00

    ### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be…

  • CVE-2025-52133MedAug 3, 2025
    risk 0.35cvss 6.4epss 0.00

    The Mocca Calendar application before 2.15 for XWiki allows XSS via a title upon calendar import.

  • CVE-2025-52132MedAug 3, 2025
    risk 0.35cvss 6.4epss 0.00

    The Mocca Calendar application before 2.15 for XWiki allows XSS via a title to the view event page.

  • CVE-2025-52131MedAug 3, 2025
    risk 0.35cvss 6.4epss 0.00

    The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field.

  • CVE-2026-26028MedMay 20, 2026
    risk 0.33cvss 6.1epss 0.00

    CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of , , and…

  • CVE-2026-40105MedApr 15, 2026
    risk 0.33cvss 6.1epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the…

  • CVE-2025-48885MedMay 30, 2025
    risk 0.30cvss epss 0.00

    application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to…

  • CVE-2025-54990MedNov 18, 2025
    risk 0.27cvss 5.3epss 0.00

    XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is…

  • CVE-2025-24893KEVFeb 20, 2025
    risk 0.16cvss epss 1.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki…

  • CVE-2023-29524Apr 18, 2023
    risk 0.04cvss epss 0.76

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object…

  • CVE-2025-32429Jul 24, 2025
    risk 0.03cvss epss 0.85

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's…

  • CVE-2023-29526Apr 18, 2023
    risk 0.02cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either…

  • CVE-2023-29527Apr 18, 2023
    risk 0.01cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions a user without script or programming right may edit a user profile (or any other document) with the wiki editor and add groovy script content. Viewing…

  • CVE-2026-48047May 26, 2026
    risk 0.00cvss epss 0.00

    ### Impact A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password,…

  • CVE-2026-26000Feb 12, 2026
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This…

  • CVE-2026-24128Jan 23, 2026
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which…

  • CVE-2025-66474Dec 10, 2025
    risk 0.00cvss epss 0.01

    XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against…

  • CVE-2025-66473Dec 10, 2025
    risk 0.00cvss epss 0.00

    XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending…

  • CVE-2025-66472Dec 10, 2025
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a…

  • CVE-2025-65036Dec 5, 2025
    risk 0.00cvss epss 0.00

    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed…

  • CVE-2025-55749Dec 1, 2025
    risk 0.00cvss epss 0.01

    XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might…

  • CVE-2025-65089Nov 19, 2025
    risk 0.00cvss epss 0.00

    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched…

  • CVE-2025-55728Sep 9, 2025
    risk 0.00cvss epss 0.01

    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit…

  • CVE-2025-55727Sep 9, 2025
    risk 0.00cvss epss 0.01

    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the width parameter in the column macro allows remote code execution for any user who can edit any…

  • CVE-2025-55748Sep 3, 2025
    risk 0.00cvss epss 0.02

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using…

  • CVE-2025-55747Sep 3, 2025
    risk 0.00cvss epss 0.02

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.

  • CVE-2025-58049Aug 28, 2025
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job…

  • CVE-2025-51991Aug 20, 2025
    risk 0.00cvss epss 0.03

    XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity…

  • CVE-2025-51990Aug 20, 2025
    risk 0.00cvss epss 0.00

    XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript…

  • CVE-2025-54125Aug 5, 2025
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page…

  • CVE-2025-54124Aug 5, 2025
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with…

  • CVE-2025-32430Aug 5, 2025
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an…

  • CVE-2025-54385Jul 26, 2025
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or…

  • CVE-2025-53836Jul 14, 2025
    risk 0.00cvss epss 0.01

    XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't…

  • CVE-2025-53835Jul 14, 2025
    risk 0.00cvss epss 0.00

    XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows…

  • CVE-2025-49591Jun 18, 2025
    risk 0.00cvss epss 0.00

    CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's…

  • CVE-2025-49590Jun 18, 2025
    risk 0.00cvss epss 0.00

    CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's…

  • CVE-2025-49587Jun 13, 2025
    risk 0.00cvss epss 0.00

    XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as…

Page 1 of 6