Vendor CVEs
Cryptpad
All CVEs
286 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-55730 | Cri | 0.58 | 10.0 | 0.01 | Sep 9, 2025 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can… | ||
| CVE-2025-55729 | Cri | 0.58 | 10.0 | 0.01 | Sep 9, 2025 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can… | ||
| CVE-2026-33229 | Cri | 0.57 | 9.8 | 0.01 | Apr 8, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,… | ||
| CVE-2026-23734 | Cri | 0.55 | — | 0.20 | May 20, 2026 | XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path… | ||
| CVE-2025-52472 | Cri | 0.54 | — | 0.02 | Oct 6, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The… | ||
| CVE-2026-33137 | Cri | 0.53 | — | 0.01 | May 20, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes… | ||
| CVE-2025-66024 | Cri | 0.52 | 9.0 | 0.00 | Mar 4, 2026 | The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML… | ||
| CVE-2025-27603 | Cri | 0.52 | 9.1 | 0.01 | Mar 7, 2025 | XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability… | ||
| CVE-2024-30263 | Hig | 0.50 | 7.7 | 0.01 | Apr 4, 2024 | macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted… | ||
| CVE-2026-40104 | Hig | 0.46 | 8.2 | 0.00 | Apr 15, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCod… | ||
| CVE-2025-51846 | Hig | 0.42 | 7.5 | 0.01 | Apr 30, 2026 | CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2. | ||
| CVE-2017-1000051 | Med | 0.40 | 6.1 | 0.01 | Jul 17, 2017 | Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content | ||
| CVE-2026-48048 | hig | 0.39 | — | 0.00 | May 26, 2026 | ### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be… | ||
| CVE-2025-52133 | Med | 0.35 | 6.4 | 0.00 | Aug 3, 2025 | The Mocca Calendar application before 2.15 for XWiki allows XSS via a title upon calendar import. | ||
| CVE-2025-52132 | Med | 0.35 | 6.4 | 0.00 | Aug 3, 2025 | The Mocca Calendar application before 2.15 for XWiki allows XSS via a title to the view event page. | ||
| CVE-2025-52131 | Med | 0.35 | 6.4 | 0.00 | Aug 3, 2025 | The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field. | ||
| CVE-2026-26028 | Med | 0.33 | 6.1 | 0.00 | May 20, 2026 | CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of , , and… | ||
| CVE-2026-40105 | Med | 0.33 | 6.1 | 0.01 | Apr 15, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the… | ||
| CVE-2025-48885 | Med | 0.30 | — | 0.00 | May 30, 2025 | application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to… | ||
| CVE-2025-54990 | Med | 0.27 | 5.3 | 0.00 | Nov 18, 2025 | XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is… | ||
| CVE-2025-24893 | 0.16 | — | 1.00 | KEV | Feb 20, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki… | ||
| CVE-2023-29524 | 0.04 | — | 0.76 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object… | |||
| CVE-2025-32429 | 0.03 | — | 0.85 | Jul 24, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's… | |||
| CVE-2023-29526 | 0.02 | — | 0.01 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either… | |||
| CVE-2023-29527 | 0.01 | — | 0.01 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions a user without script or programming right may edit a user profile (or any other document) with the wiki editor and add groovy script content. Viewing… | |||
| CVE-2026-48047 | 0.00 | — | 0.00 | May 26, 2026 | ### Impact A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password,… | |||
| CVE-2026-26000 | 0.00 | — | 0.00 | Feb 12, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This… | |||
| CVE-2026-24128 | 0.00 | — | 0.01 | Jan 23, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which… | |||
| CVE-2025-66474 | 0.00 | — | 0.01 | Dec 10, 2025 | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against… | |||
| CVE-2025-66473 | 0.00 | — | 0.00 | Dec 10, 2025 | XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending… | |||
| CVE-2025-66472 | 0.00 | — | 0.00 | Dec 10, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a… | |||
| CVE-2025-65036 | 0.00 | — | 0.00 | Dec 5, 2025 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed… | |||
| CVE-2025-55749 | 0.00 | — | 0.01 | Dec 1, 2025 | XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might… | |||
| CVE-2025-65089 | 0.00 | — | 0.00 | Nov 19, 2025 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched… | |||
| CVE-2025-55728 | 0.00 | — | 0.01 | Sep 9, 2025 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit… | |||
| CVE-2025-55727 | 0.00 | — | 0.01 | Sep 9, 2025 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the width parameter in the column macro allows remote code execution for any user who can edit any… | |||
| CVE-2025-55748 | 0.00 | — | 0.02 | Sep 3, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using… | |||
| CVE-2025-55747 | 0.00 | — | 0.02 | Sep 3, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7. | |||
| CVE-2025-58049 | 0.00 | — | 0.00 | Aug 28, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job… | |||
| CVE-2025-51991 | 0.00 | — | 0.03 | Aug 20, 2025 | XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity… | |||
| CVE-2025-51990 | 0.00 | — | 0.00 | Aug 20, 2025 | XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript… | |||
| CVE-2025-54125 | 0.00 | — | 0.01 | Aug 5, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page… | |||
| CVE-2025-54124 | 0.00 | — | 0.00 | Aug 5, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with… | |||
| CVE-2025-32430 | 0.00 | — | 0.01 | Aug 5, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an… | |||
| CVE-2025-54385 | 0.00 | — | 0.01 | Jul 26, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or… | |||
| CVE-2025-53836 | 0.00 | — | 0.01 | Jul 14, 2025 | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't… | |||
| CVE-2025-53835 | 0.00 | — | 0.00 | Jul 14, 2025 | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows… | |||
| CVE-2025-49591 | 0.00 | — | 0.00 | Jun 18, 2025 | CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's… | |||
| CVE-2025-49590 | 0.00 | — | 0.00 | Jun 18, 2025 | CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's… | |||
| CVE-2025-49587 | 0.00 | — | 0.00 | Jun 13, 2025 | XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as… |
- risk 0.58cvss 10.0epss 0.01
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can…
- risk 0.58cvss 10.0epss 0.01
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can…
- risk 0.57cvss 9.8epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,…
- risk 0.55cvss —epss 0.20
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path…
- risk 0.54cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The…
- risk 0.53cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes…
- risk 0.52cvss 9.0epss 0.00
The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML…
- risk 0.52cvss 9.1epss 0.01
XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability…
- risk 0.50cvss 7.7epss 0.01
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted…
- risk 0.46cvss 8.2epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCod…
- risk 0.42cvss 7.5epss 0.01
CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content
- risk 0.39cvss —epss 0.00
### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be…
- risk 0.35cvss 6.4epss 0.00
The Mocca Calendar application before 2.15 for XWiki allows XSS via a title upon calendar import.
- risk 0.35cvss 6.4epss 0.00
The Mocca Calendar application before 2.15 for XWiki allows XSS via a title to the view event page.
- risk 0.35cvss 6.4epss 0.00
The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field.
- risk 0.33cvss 6.1epss 0.00
CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of , , and…
- risk 0.33cvss 6.1epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the…
- risk 0.30cvss —epss 0.00
application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to…
- risk 0.27cvss 5.3epss 0.00
XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is…
- risk 0.16cvss —epss 1.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki…
- CVE-2023-29524Apr 18, 2023risk 0.04cvss —epss 0.76
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object…
- CVE-2025-32429Jul 24, 2025risk 0.03cvss —epss 0.85
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's…
- CVE-2023-29526Apr 18, 2023risk 0.02cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either…
- CVE-2023-29527Apr 18, 2023risk 0.01cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions a user without script or programming right may edit a user profile (or any other document) with the wiki editor and add groovy script content. Viewing…
- CVE-2026-48047May 26, 2026risk 0.00cvss —epss 0.00
### Impact A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password,…
- CVE-2026-26000Feb 12, 2026risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This…
- CVE-2026-24128Jan 23, 2026risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which…
- CVE-2025-66474Dec 10, 2025risk 0.00cvss —epss 0.01
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against…
- CVE-2025-66473Dec 10, 2025risk 0.00cvss —epss 0.00
XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending…
- CVE-2025-66472Dec 10, 2025risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a…
- CVE-2025-65036Dec 5, 2025risk 0.00cvss —epss 0.00
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed…
- CVE-2025-55749Dec 1, 2025risk 0.00cvss —epss 0.01
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might…
- CVE-2025-65089Nov 19, 2025risk 0.00cvss —epss 0.00
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched…
- CVE-2025-55728Sep 9, 2025risk 0.00cvss —epss 0.01
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit…
- CVE-2025-55727Sep 9, 2025risk 0.00cvss —epss 0.01
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the width parameter in the column macro allows remote code execution for any user who can edit any…
- CVE-2025-55748Sep 3, 2025risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using…
- CVE-2025-55747Sep 3, 2025risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
- CVE-2025-58049Aug 28, 2025risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job…
- CVE-2025-51991Aug 20, 2025risk 0.00cvss —epss 0.03
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity…
- CVE-2025-51990Aug 20, 2025risk 0.00cvss —epss 0.00
XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript…
- CVE-2025-54125Aug 5, 2025risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page…
- CVE-2025-54124Aug 5, 2025risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with…
- CVE-2025-32430Aug 5, 2025risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an…
- CVE-2025-54385Jul 26, 2025risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or…
- CVE-2025-53836Jul 14, 2025risk 0.00cvss —epss 0.01
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't…
- CVE-2025-53835Jul 14, 2025risk 0.00cvss —epss 0.00
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows…
- CVE-2025-49591Jun 18, 2025risk 0.00cvss —epss 0.00
CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's…
- CVE-2025-49590Jun 18, 2025risk 0.00cvss —epss 0.00
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's…
- CVE-2025-49587Jun 13, 2025risk 0.00cvss —epss 0.00
XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as…
Page 1 of 6