Xwiki Contrib
Products
8- 37 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
47| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-49594 | Cri | 0.53 | — | 0.01 | Oct 6, 2025 | XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it… | ||
| CVE-2018-16666 | Hig | 0.51 | 7.8 | 0.00 | Sep 7, 2018 | An issue was discovered in Contiki-NG through 4.1. There is a stack-based buffer overflow in next_string in os/storage/antelope/aql-lexer.c while parsing AQL (parsing next string). | ||
| CVE-2018-16663 | Hig | 0.51 | 7.8 | 0.00 | Sep 7, 2018 | An issue was discovered in Contiki-NG through 4.1. There is a stack-based buffer overflow in parse_relations in os/storage/antelope/aql-parser.c while parsing AQL (storage of relations). | ||
| CVE-2025-58365 | Hig | 0.50 | — | 0.01 | Sep 8, 2025 | The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Prior to version 9.14, the blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit… | ||
| CVE-2018-16667 | Hig | 0.46 | 7.0 | 0.00 | Sep 7, 2018 | An issue was discovered in Contiki-NG through 4.1. There is a buffer over-read in lookup in os/storage/antelope/lvm.c while parsing AQL (lvm_register_variable, lvm_set_variable_value, create_intersection, create_union). | ||
| CVE-2018-16664 | Hig | 0.46 | 7.0 | 0.00 | Sep 7, 2018 | An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow in lvm_set_type in os/storage/antelope/lvm.c while parsing AQL (lvm_set_op, lvm_set_relation, lvm_set_operand). | ||
| CVE-2025-31487 | Hig | 0.43 | 7.7 | 0.00 | Apr 3, 2025 | The XWiki JIRA extension provides various integration points between XWiki and JIRA (macros, UI, CKEditor plugin). If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns… | ||
| CVE-2018-16665 | Med | 0.40 | 6.1 | 0.00 | Sep 7, 2018 | An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow while parsing AQL in lvm_shift_for_operator in os/storage/antelope/lvm.c. | ||
| CVE-2026-42140 | Med | 0.22 | 4.4 | 0.00 | May 4, 2026 | PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However,… | ||
| CVE-2018-1000804 | Cri | 0.01 | 9.8 | 0.06 | Oct 8, 2018 | contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can result in Attacker can perform Remote Code Execution on device using Contiki-NG operating system. This attack appear to be exploitable via Attacker must be… | ||
| CVE-2025-65091 | 0.00 | — | 0.00 | Jan 10, 2026 | XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack.… | |||
| CVE-2025-65090 | 0.00 | — | 0.00 | Jan 10, 2026 | XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of… | |||
| CVE-2025-46558 | 0.00 | — | 0.00 | Apr 30, 2025 | XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown… | |||
| CVE-2023-29001 | 0.00 | — | 0.01 | Nov 27, 2024 | Contiki-NG is an open-source, cross-platform operating system for IoT devices. The Contiki-NG operating system processes source routing headers (SRH) in its two alternative RPL protocol implementations. The IPv6 implementation uses the results of this processing to determine… | |||
| CVE-2024-41125 | 0.00 | — | 0.00 | Nov 27, 2024 | Contiki-NG is an open-source, cross-platform operating system for IoT devices. An out-of-bounds read of 1 byte can be triggered when sending a packet to a device running the Contiki-NG operating system with SNMP enabled. The SNMP module is disabled in the default Contiki-NG… | |||
| CVE-2024-41126 | 0.00 | — | 0.00 | Nov 27, 2024 | Contiki-NG is an open-source, cross-platform operating system for IoT devices. An out-of-bounds read of 1 byte can be triggered when sending a packet to a device running the Contiki-NG operating system with SNMP enabled. The SNMP module is disabled in the default Contiki-NG… | |||
| CVE-2024-47181 | 0.00 | — | 0.01 | Nov 27, 2024 | Contiki-NG is an open-source, cross-platform operating system for IoT devices. An unaligned memory access can be triggered in the two RPL implementations of the Contiki-NG operating system. The problem can occur when either one of these RPL implementations is enabled and… | |||
| CVE-2023-50926 | 0.00 | — | 0.01 | Feb 14, 2024 | Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be caused by an incoming DIO message when using the RPL-Lite implementation in the Contiki-NG operating system. More specifically, the prefix information of… | |||
| CVE-2023-50927 | 0.00 | — | 0.01 | Feb 14, 2024 | Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An attacker can trigger out-of-bounds reads in the RPL-Lite implementation of the RPL protocol in the Contiki-NG operating system. This vulnerability is caused by insufficient control… | |||
| CVE-2023-48229 | 0.00 | — | 0.00 | Feb 14, 2024 | Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds write exists in the driver for IEEE 802.15.4 radios on nRF platforms in the Contiki-NG operating system. The problem is triggered when parsing radio frames in the… |
- risk 0.53cvss —epss 0.01
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it…
- risk 0.51cvss 7.8epss 0.00
An issue was discovered in Contiki-NG through 4.1. There is a stack-based buffer overflow in next_string in os/storage/antelope/aql-lexer.c while parsing AQL (parsing next string).
- risk 0.51cvss 7.8epss 0.00
An issue was discovered in Contiki-NG through 4.1. There is a stack-based buffer overflow in parse_relations in os/storage/antelope/aql-parser.c while parsing AQL (storage of relations).
- risk 0.50cvss —epss 0.01
The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Prior to version 9.14, the blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit…
- risk 0.46cvss 7.0epss 0.00
An issue was discovered in Contiki-NG through 4.1. There is a buffer over-read in lookup in os/storage/antelope/lvm.c while parsing AQL (lvm_register_variable, lvm_set_variable_value, create_intersection, create_union).
- risk 0.46cvss 7.0epss 0.00
An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow in lvm_set_type in os/storage/antelope/lvm.c while parsing AQL (lvm_set_op, lvm_set_relation, lvm_set_operand).
- risk 0.43cvss 7.7epss 0.00
The XWiki JIRA extension provides various integration points between XWiki and JIRA (macros, UI, CKEditor plugin). If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns…
- risk 0.40cvss 6.1epss 0.00
An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow while parsing AQL in lvm_shift_for_operator in os/storage/antelope/lvm.c.
- risk 0.22cvss 4.4epss 0.00
PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However,…
- risk 0.01cvss 9.8epss 0.06
contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can result in Attacker can perform Remote Code Execution on device using Contiki-NG operating system. This attack appear to be exploitable via Attacker must be…
- CVE-2025-65091Jan 10, 2026risk 0.00cvss —epss 0.00
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack.…
- CVE-2025-65090Jan 10, 2026risk 0.00cvss —epss 0.00
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of…
- CVE-2025-46558Apr 30, 2025risk 0.00cvss —epss 0.00
XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown…
- CVE-2023-29001Nov 27, 2024risk 0.00cvss —epss 0.01
Contiki-NG is an open-source, cross-platform operating system for IoT devices. The Contiki-NG operating system processes source routing headers (SRH) in its two alternative RPL protocol implementations. The IPv6 implementation uses the results of this processing to determine…
- CVE-2024-41125Nov 27, 2024risk 0.00cvss —epss 0.00
Contiki-NG is an open-source, cross-platform operating system for IoT devices. An out-of-bounds read of 1 byte can be triggered when sending a packet to a device running the Contiki-NG operating system with SNMP enabled. The SNMP module is disabled in the default Contiki-NG…
- CVE-2024-41126Nov 27, 2024risk 0.00cvss —epss 0.00
Contiki-NG is an open-source, cross-platform operating system for IoT devices. An out-of-bounds read of 1 byte can be triggered when sending a packet to a device running the Contiki-NG operating system with SNMP enabled. The SNMP module is disabled in the default Contiki-NG…
- CVE-2024-47181Nov 27, 2024risk 0.00cvss —epss 0.01
Contiki-NG is an open-source, cross-platform operating system for IoT devices. An unaligned memory access can be triggered in the two RPL implementations of the Contiki-NG operating system. The problem can occur when either one of these RPL implementations is enabled and…
- CVE-2023-50926Feb 14, 2024risk 0.00cvss —epss 0.01
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be caused by an incoming DIO message when using the RPL-Lite implementation in the Contiki-NG operating system. More specifically, the prefix information of…
- CVE-2023-50927Feb 14, 2024risk 0.00cvss —epss 0.01
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An attacker can trigger out-of-bounds reads in the RPL-Lite implementation of the RPL protocol in the Contiki-NG operating system. This vulnerability is caused by insufficient control…
- CVE-2023-48229Feb 14, 2024risk 0.00cvss —epss 0.00
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds write exists in the driver for IEEE 802.15.4 radios on nRF platforms in the Contiki-NG operating system. The problem is triggered when parsing radio frames in the…