xwiki xwiki-platform Vulnerabilities: CVEs, CISA KEV & Security Advisories

This page aggregates every publicly disclosed vulnerability (CVE) affecting xwiki xwiki-platform, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.

Affected versions and CVEs

Browse every xwiki xwiki-platform version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

>= 14.5, < 14.1013 CVEs
>= 15.0-rc-1, < 15.5.411 CVEs
>= 14.0-rc-1, < 14.4.710 CVEs
>= 14.0.0, < 14.4.810 CVEs
< 13.10.119 CVEs
>= 14.5, < 14.10.48 CVEs
>= 14.5.0, < 14.10.17 CVEs
>= 15.0-rc-1, < 15.1-rc-16 CVEs
>= 15.6-rc-1, < 15.10-rc-16 CVEs
>= 16.0.0-rc-1, < 16.4.66 CVEs
>= 14.0.0, < 14.4.25 CVEs
>= 14.0.0, < 14.4.35 CVEs
>= 15.0-rc-1, < 15.5.25 CVEs
>= 15.6-rc-1, < 15.7-rc-15 CVEs
>= 14.0, < 14.4.64 CVEs
>= 14.5, < 14.94 CVEs
>= 15.0-rc-1, < 15.5-rc-14 CVEs
>= 15.0-rc-1, < 15.5.54 CVEs
>= 16.0.0-rc-1, < 16.4.74 CVEs
>= 16.5.0-rc-1, < 16.10.24 CVEs
>= 16.5.0-rc-1, < 16.10.34 CVEs
>= 17.0.0-rc-1, < 17.0.04 CVEs
xwiki-application-calendar-1.04 CVEs
xwiki-platform-16.10.04 CVEs
xwiki-platform-16.10.0-rc-14 CVEs
xwiki-platform-16.10.14 CVEs
xwiki-platform-16.10.24 CVEs
xwiki-platform-16.10.34 CVEs
xwiki-platform-7.3-milestone-24 CVEs
xwiki-platform-7.4-milestone-14 CVEs
xwiki-platform-7.4-milestone-24 CVEs
xwiki-platform-8.0-milestone-14 CVEs
xwiki-platform-8.0-milestone-24 CVEs
xwiki-platform-8.1-milestone-14 CVEs
xwiki-platform-8.1-milestone-24 CVEs
xwiki-platform-8.2-milestone-14 CVEs
xwiki-platform-8.2-milestone-24 CVEs
xwiki-platform-8.3-milestone-14 CVEs
xwiki-platform-9.9-rc-24 CVEs
xwiki-plugin-tag-1.14 CVEs
< 13.10.83 CVEs
>= 14.0-rc-1, < 14.4.83 CVEs
>= 14.0, < 14.43 CVEs
>= 14.0, < 14.4.73 CVEs
>= 14.5, < 14.10.63 CVEs
>= 14.5, < 14.9-rc-13 CVEs
>= 15.0-rc-1, < 15.13 CVEs
>= 15.0-rc-1, < 15.2-rc-13 CVEs
>= 15.0-rc-1, < 15.3-rc-13 CVEs
>= 15.0-rc-1, < 15.4-rc-13 CVEs
>= 15.0-rc-1, < 15.5.13 CVEs
>= 15.0-rc-1, < 15.5.33 CVEs
>= 15.6-rc-1, < 15.10.63 CVEs
>= 15.6-rc-1, < 15.8-rc-13 CVEs
>= 15.6-rc-1, < 15.93 CVEs
>= 16.0.0-rc-1, < 16.3.03 CVEs
>= 16.0.0-rc-1, < 16.4.33 CVEs
>= 16.5.0-rc-1, < 16.10.0-rc-13 CVEs
>= 16.5.0-rc-1, < 16.8.0-rc-13 CVEs
xwiki-platform-16.10.43 CVEs
xwiki-platform-16.10.53 CVEs
xwiki-platform-16.10.63 CVEs
xwiki-platform-16.10.73 CVEs
xwiki-platform-16.10.83 CVEs
xwiki-platform-16.10.93 CVEs
< 12.10.52 CVEs
< 12.10.62 CVEs
< 12.10.92 CVEs
< 14.4.82 CVEs
< 15.10.162 CVEs
>= 13.0, < 13.4.72 CVEs
>= 13.0.0, < 13.4.72 CVEs
>= 13.2-rc-1, < 14.10.212 CVEs
>= 13.5, < 13.10.32 CVEs
>= 14.0-rc-1, < 14.10.122 CVEs
>= 14.0, < 14.22 CVEs
>= 14.0, < 14.32 CVEs
>= 14.0, < 14.3-rc-12 CVEs
>= 14.0.0, < 14.4.72 CVEs
>= 14.5, < 14.10.12 CVEs
>= 14.5, < 14.8-rc-12 CVEs
>= 14.5.0, < 14.10.22 CVEs
>= 14.5.0, < 14.10.32 CVEs
>= 14.5.0, < 14.6-rc-12 CVEs
>= 15.0.0, < 15.5.52 CVEs
>= 15.6-rc-1, < 15.10.22 CVEs
>= 15.6-rc-1, < 15.9-rc-12 CVEs
>= 15.6.0, < 15.10.12 CVEs
>= 16.0.0-rc-1, < 16.0.02 CVEs
>= 16.0.0-rc-1, < 16.3.0-rc-12 CVEs
>= 16.0.0-rc-1, < 16.4.12 CVEs
>= 16.0.0-rc-1, < 16.4.42 CVEs
>= 16.5.0-rc-1, < 16.10.12 CVEs
>= 16.5.0-rc-1, < 16.10.52 CVEs
>= 17.0.0-rc-1, < 17.1.0-rc-12 CVEs
>= 17.0.0-rc-1, < 17.2.0-rc-12 CVEs
>= 17.0.0-rc-1, < 17.3.0-rc-12 CVEs
>= 17.0.0-rc-1, < 17.4.82 CVEs
>= 17.5.0-rc-1, < 17.10.12 CVEs
>= 2.3, < 14.10.152 CVEs
>= 3.1, < 14.10.192 CVEs
xwiki-platform-16.10.102 CVEs
< 11.10.131 CVE
< 11.10.61 CVE
< 12.10.71 CVE
< 12.6.31 CVE
< 12.6.71 CVE
< 13.10.41 CVE
< 13.10.61 CVE
< 14.10.151 CVE
< 14.10.191 CVE
< 14.10.211 CVE
< 14.10.91 CVE
< 14.6-rc-11 CVE
< 16.10.111 CVE
< 16.10.131 CVE
< 16.10.61 CVE
<11.10.51 CVE
= 16.0.0-rc-11 CVE
> 11.6RC1, < 12.6.81 CVE
>= 1.0, < 13.10.61 CVE
>= 1.0, < 14.10.171 CVE
>= 1.0, < 15.10.161 CVE
>= 1.1-M2, < 13.10.111 CVE
>= 1.1-milestone-3, < 13.10.111 CVE
>= 1.1, < 13.10.51 CVE
>= 1.1, < 16.4.71 CVE
>= 1.2-milestone-1, < 13.10.111 CVE
>= 1.2-milestone-2, < 15.10.91 CVE
>= 1.31 CVE
>= 1.3-rc-1, < 13.10.111 CVE
>= 1.3, < 13.10.41 CVE
>= 1.5M2, < 13.10.111 CVE
>= 1.6-milestone-1, < 15.10.161 CVE
>= 1.7, < 13.10.61 CVE
>= 1.8, < 14.10.81 CVE
>= 1.8, < 15.10.161 CVE
>= 1.8, <= 3.0.11 CVE
>= 1.8.0, < 15.10.91 CVE
>= 1.8.1, < 14.10.221 CVE
>= 1.9-milestone-2, < 13.10.101 CVE
>= 1.9M1, < 15.10.141 CVE
>= 10.11.1, < 13.10.111 CVE
>= 10.4-rc-1, < 16.10.161 CVE
>= 10.9, < 13.10.111 CVE
>= 10.9, < 16.4.71 CVE
>= 11.10.1, < 14.10.151 CVE
>= 11.10.11, < 12.01 CVE
>= 11.3.7, < 13.10.41 CVE
>= 11.4.0, < 11.10.111 CVE
>= 11.6-rc-1, < 13.10.101 CVE
>= 11.7RC1, < 13.10.71 CVE
>= 11.8-rc-1, < 14.4.81 CVE
>= 11.8-rc-1, < 15.10.81 CVE
>= 12.0-rc-1, < 14.10.121 CVE
>= 12.0, < 12.51 CVE
>= 12.0.0, < 12.6.31 CVE
>= 12.10, < 13.10.101 CVE
>= 12.10.0, < 12.10.21 CVE
>= 12.10.0, < 12.10.31 CVE
>= 12.10.0, < 12.10.41 CVE
>= 12.10.11, < 13.10.81 CVE
>= 12.4, < 13.10.71 CVE
>= 12.5-rc-1, < 13.10.61 CVE
>= 12.6.0, < 12.6.71 CVE
>= 12.6.3, < 12.71 CVE
>= 12.6.4, < 12.81 CVE
>= 12.6.6, < 13.10.111 CVE
>= 12.7.0, < 12.8-rc-11 CVE
>= 12.8-rc-1, < 16.4.71 CVE
>= 12.9-rc-1, < 14.4.81 CVE
>= 13.0, < 13.2RC11 CVE
>= 13.0, < 13.3RC11 CVE
>= 13.0, < 13.4.61 CVE
>= 13.0, <= 13.11 CVE
>= 13.0.0, < 13.2-rc-11 CVE
>= 13.0.0, < 13.3RC11 CVE
>= 13.0.0, < 13.4.11 CVE
>= 13.0.0, < 13.4.31 CVE
>= 13.10, < 13.10.11 CVE
>= 13.10, < 13.10.111 CVE
>= 13.10.0, < 13.10.31 CVE
>= 13.10.10, < 13.10.111 CVE
>= 13.10.3, < 14.10.211 CVE
>= 13.10.4, < 14.0-rc-11 CVE
>= 13.10.8, < 13.10.111 CVE
>= 13.1RC1, < 13.10.81 CVE
>= 13.2-rc-1, < 13.10.111 CVE
>= 13.4.7, <= 13.51 CVE
>= 13.5-rc-1, < 15.10.131 CVE
>= 13.5.0, < 13.10.31 CVE
>= 13.5.0, < 13.10.91 CVE
>= 13.6.0, < 13.6RC11 CVE
>= 13.6.0, < 13.7-rc-11 CVE
>= 13.9-rc-1, < 13.10.81 CVE
>= 13.9-rc-1, < 14.10.191 CVE
>= 13.9-rc-1, < 15.10.121 CVE
>= 14.0-rc-1, < 14.2-rc-11 CVE
>= 14.0-rc-1, < 14.3-rc-11 CVE
>= 14.0-rc-1, < 14.4.31 CVE
>= 14.0-rc-1, < 14.4.41 CVE
>= 14.0-rc-1, < 14.4.51 CVE
>= 14.0-rc-1, < 14.4.61 CVE
>= 14.0, < 14.3-RC-11 CVE
>= 14.0.0, < 14.3.11 CVE
>= 14.0.0, < 14.4.11 CVE
>= 14.0.0, < 14.7-rc-11 CVE
>= 14.10, < 14.10.181 CVE
>= 14.2, < 14.10.211 CVE
>= 14.3-rc-1, < 14.4.61 CVE
>= 14.4, < 14.4.71 CVE
>= 14.4.0, < 14.4-rc-11 CVE
>= 14.4.1, < 14.4.71 CVE
>= 14.4.2, < 16.4.81 CVE
>= 14.4.3, < 14.4.71 CVE
>= 14.5, < 14.7-rc-11 CVE
>= 14.5.0, < 14.10-rc-11 CVE
>= 14.5.0, < 14.10.0-rc-11 CVE
>= 14.5.0, < 14.10.3.1 CVE
>= 14.5.0, < 14.10.61 CVE
>= 14.5.0, < 14.61 CVE
>= 14.6, < 14.101 CVE
>= 14.9, < 14.101 CVE
>= 15.0-rc-0, < 15.11 CVE
>= 15.0-rc-0, < 15.1-rc-11 CVE
>= 15.0-rc-1, < 15.01 CVE
>= 15.0-rc-1, < 15.10.121 CVE
>= 15.0-rc-1, < 15.21 CVE
>= 15.0, < 15.2-rc-11 CVE
>= 15.0, < 15.3-rc-11 CVE
>= 15.0, < 15.5.51 CVE
>= 15.10.6, < 16.10.171 CVE
>= 15.3-rc-1, < 15.10.141 CVE
>= 15.6-rc-1, < 15.61 CVE
>= 15.9-rc-1, < 15.10.121 CVE
>= 15.9-rc-1, < 15.10.161 CVE
>= 15.9-rc-1, < 15.10.81 CVE
>= 15.9-rc-1, < 16.4.71 CVE
>= 16.0.0-rc-1, < 16.2.01 CVE
>= 16.0.0, < 16.4.11 CVE
>= 16.10.0-rc-1, < 16.10.41 CVE
>= 16.5.0-rc-1, < 16.10.01 CVE
>= 16.5.0-rc-1, < 16.10.41 CVE
>= 16.5.0-rc-1, < 16.10.61 CVE
>= 16.5.0-rc-1, < 16.10.71 CVE
>= 16.5.0-rc-1, < 16.5.01 CVE
>= 16.5.0-rc-1, < 16.7.01 CVE
>= 16.5.0-rc-1, < 16.8.01 CVE
>= 16.5.0, < 16.6.0-rc-11 CVE
>= 16.7.0, < 16.10.111 CVE
>= 17.0.0-rc-1, < 17.4.0-rc-11 CVE
>= 17.0.0-rc-1, < 17.4.21 CVE
>= 17.0.0-rc-1, < 17.4.41 CVE
>= 17.0.0-rc-1, < 17.4.51 CVE
>= 17.0.0-rc-1, < 17.4.61 CVE
>= 17.0.0-rc-1, < 17.4.91 CVE
>= 17.0.0-rc1, < 17.3.0-rc-11 CVE
>= 17.0.0-rc1, < 17.4.41 CVE
>= 17.5.0-rc-1, < 17.7.0-rc-11 CVE
>= 17.5.0-rc-1, < 17.8.0-rc-11 CVE
>= 17.5.0, < 17.9.01 CVE
>= 17.5.0, < 17.10.31 CVE
>= 17.5.0, < 17.7.01 CVE
>= 18.0.0-rc-1, < 18.1.0-rc-11 CVE
>= 2.0-milestone-1, < 13.10.51 CVE
>= 2.0, < 14.10.71 CVE
>= 2.2-milestone-1, < 13.10.61 CVE
>= 2.2-milestone-1, < 14.4.81 CVE
>= 2.2, < 14.10.171 CVE
>= 2.3-milestone-1, < 13.10.111 CVE
>= 2.3, < 15.10.91 CVE
>= 2.4-m-2, < 14.4.81 CVE
>= 2.4-milestone-1, < 14.10.201 CVE
>= 2.4-milestone-2, < 3.1-milestone-11 CVE
>= 2.5-m1, < 14.4.81 CVE
>= 2.5-milestone-2, < 14.10.51 CVE
>= 2.6-rc-2, < 14.4.81 CVE
>= 2.6.1, < 12.10.111 CVE
>= 3.0-milestone-1, < 13.10.101 CVE
>= 3.0.1, < 14.10.201 CVE
>= 3.1-milestone-1, < 13.4-rc-11 CVE
>= 3.1-milestone-2, < 13.4-rc-11 CVE
>= 3.2-m3, < 13.4.41 CVE
>= 3.2-milestone-2, < 13.10.71 CVE
>= 3.2-milestone-3, < 14.10.61 CVE
>= 3.2-milestone-3, < 14.10.91 CVE
>= 3.3-milestone-1, < 13.10.111 CVE
>= 3.3-milestone-1, < 15.10.91 CVE
>= 3.4-milestone-1, < 14.10.51 CVE
>= 3.5-milestone-1, < 14.10.81 CVE
>= 3.5-milestone-1, < 14.10.91 CVE
>= 3.5-milestone-1, < 14.4.81 CVE
>= 4.2-milestone-3, < 13.10.111 CVE
>= 4.2-milestone-3, < 14.10.211 CVE
>= 4.2-milestone-3, < 16.4.81 CVE
>= 4.3-milestone-1, < 16.10.91 CVE
>= 4.3-milestone-2, < 14.10.201 CVE
>= 4.5-rc-1, < 14.10.151 CVE
>= 4.5.1, < 15.10.131 CVE
>= 5.0-milestone-1, < 13.10.71 CVE
>= 5.0-milestone-1, < 14.4.81 CVE
>= 5.0-rc-1, < 14.10.191 CVE
>= 5.0, < 12.10.111 CVE
>= 5.1-rc-1, < 14.10.81 CVE
>= 5.2-milestone-2, < 14.10.201 CVE
>= 5.3-milestone-2, < 12.10.111 CVE
>= 5.3-milestone-2, < 13.10.111 CVE
>= 5.3-milestone-2, < 13.10.61 CVE
>= 5.3-milestone-2, < 15.10.111 CVE
>= 5.4-rc-1, < 15.10.151 CVE
>= 5.4.4, < 14.4.81 CVE
>= 5.4.4, <= 6.0-milestone-21 CVE
>= 6.0-milestone-2, < 12.10.111 CVE
>= 6.0-rc-1, < 13.10.101 CVE
>= 6.0-rc-1, < 14.10.61 CVE
>= 6.0, < 13.10.101 CVE
>= 6.1-milestone-1, < 15.10.121 CVE
>= 6.1-rc-1, < 14.10.51 CVE
>= 6.1-rc-1, < 15.10.141 CVE
>= 6.2-milestone-1, < 13.10.101 CVE
>= 6.2-milestone-1, < 14.10.51 CVE
>= 6.2.4, < 12.10.111 CVE
>= 6.2.4, < 13.10.101 CVE
>= 6.3-milestone-2, < 13.10.111 CVE
>= 6.3-milestone-2, < 13.10.51 CVE
>= 6.3-milestone-2, < 14.10.151 CVE
>= 6.4-milestone-1, < 14.10.191 CVE
>= 6.4-milestone-2, < 13.10.71 CVE
>= 7.0-milestone-2, < 16.10.121 CVE
>= 7.0-rc-1, < 14.4.81 CVE
>= 7.2-milestone-2, < 14.10.121 CVE
>= 7.2-milestone-2, < 14.10.151 CVE
>= 7.2-milestone-2, < 16.4.71 CVE
>= 7.2-rc-1, < 13.10.111 CVE
>= 7.2-rc-1, < 14.10.201 CVE
>= 7.2, < 14.10.101 CVE
>= 7.3-milestone-1, < 14.4.81 CVE
>= 7.4.5, < 8.0-milestone-11 CVE
>= 8.0-rc-1, < 13.10.51 CVE
>= 8.1-milestone-1, < 14.10.51 CVE
>= 8.1, < 13.10.81 CVE
>= 8.2, < 16.4.71 CVE
>= 8.3-rc-1, < 14.10.71 CVE
>= 9.2-rc-1, < 14.10.211 CVE
>= 9.4-rc-1, < 14.10.51 CVE
>= 9.4-rc-1, < 14.10.81 CVE
>= 9.4-rc-1, < 16.10.61 CVE
>= 9.6-rc-1, < 14.10.61 CVE
>= 9.7-rc-1, < 14.10.141 CVE
>= 9.7-rc-1, < 15.10.111 CVE
>= 9.8-rc-1, < 16.4.71 CVE
>=12.0.0, <12.2.11 CVE
xwiki-platform-16.10.111 CVE
xwiki-platform-16.10.121 CVE

Fixed in

08e0887f0362b21614e6bfcb5be7e1f568659c4128 CVEs
962ee4ac0352ab1a89cc779c29e81b0674d0203e17 CVEs
c524887d154ff8f6df9651e36b904e234bf5a6ef17 CVEs
b469b950e7fe3d22f00b639d43f286bf871472b116 CVEs
0e37972524b5a68c44734112f38a48e746b0909e12 CVEs
c127075e7814ef7cd164bb6493d67b1943b6db1e11 CVEs
f5a9a0762750936523187286919ec4c1892d6fea11 CVEs
0cb75bab7ac0c3ecbd0429e88726435b55970c8e8 CVEs
61a67f5cf241df692779d77367168e07621190918 CVEs
db1b7950037774552be2897571c2e1c5a75894008 CVEs
1bcc6e962dc5701ae6f9745a209a5c0c97461128

Find a version

242 CVEs

Sort

XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
CVE-2026-33137
Patch
CWE-862
Critical · CVSS 9.3
EPSS 0.0% (4th pct)2026-05-20
XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality
CVE-2026-40105
Patch
CWE-80
Medium · CVSS 6.5
EPSS 0.7% (73th pct)2026-04-15
XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API
CVE-2026-33229
Patch
CWE-862
Critical · CVSS 9.8
EPSS 0.1% (22th pct)2026-04-08
XWiki Platform affected by click-jacking through CSS injection in comments
CVE-2026-26000
Patch
CWE-1021
Medium · CVSS 5.3
EPSS 0.0% (9th pct)2026-02-12
XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages
CVE-2026-24128
Patch
CWE-80
Medium · CVSS 6.5
EPSS 0.1% (22th pct)2026-01-23
XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
CVE-2025-66474
Public exploit
Patch
CWE-95
High · CVSS 8.7
EPSS 0.7% (72th pct)2025-12-10
XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis
CVE-2025-66473
Public exploit
Patch
CWE-770
High · CVSS 8.7
EPSS 0.0% (12th pct)2025-12-10
XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication
CVE-2025-66472
Patch
CWE-80
Medium · CVSS 6.5
EPSS 0.1% (32th pct)2025-12-10
The XWiki Jetty package (XJetty) allows accessing any application file through URL
CVE-2025-55749
Patch
CWE-284
High · CVSS 8.7
EPSS 0.8% (75th pct)2025-12-01
XWiki Platform vulnerable to HQL injection via wiki and space search REST API
CVE-2025-52472
Patch
CWE-89
Critical · CVSS 9.3
EPSS 0.3% (57th pct)2025-10-06
XWiki Platform's configuration files can be accessed through jsx and sx endpoints
CVE-2025-55748
Patch
CWE-23
Critical · CVSS 9.3
EPSS 0.4% (59th pct)2025-09-03
XWiki Platform's configuration files can be accessed through the webjars API
CVE-2025-55747
Patch
CWE-23
Critical · CVSS 9.3
EPSS 1.3% (80th pct)2025-09-03
XWiki PDF export jobs store sensitive cookies unencrypted in job statuses
CVE-2025-58049
Patch
CWE-212
Medium · CVSS 5.8
EPSS 0.1% (19th pct)2025-08-28
High vulnerability · 2025-08-20
CVE-2025-51991
Public exploit
CWE-79
High · CVSS 8.8
EPSS 3.7% (88th pct)2025-08-20
Medium vulnerability · 2025-08-20
CVE-2025-51990
Public exploit
CWE-79
Medium · CVSS 4.8
EPSS 0.1% (22th pct)2025-08-20
XWiki Platform: Password and email exposure in xml.vm fields
CVE-2025-54125
Public exploit
Patch
CWE-359
High · CVSS 8.7
EPSS 0.7% (73th pct)2025-08-05
XWiki Platform: Any user with editing rights can access password properties through Database List Properties
CVE-2025-54124
Public exploit
Patch
CWE-359
High · CVSS 7.1
EPSS 0.1% (29th pct)2025-08-05
XWiki Platform contains Reflected XSS vulnerability in two templates
CVE-2025-32430
Public exploit
Patch
CWE-79
Medium · CVSS 6.5
EPSS 0.1% (21th pct)2025-08-05
XWiki Platform's searchDocuments API allows for SQL injection
CVE-2025-54385
Patch
CWE-20
High · CVSS 8.6
EPSS 1.0% (77th pct)2025-07-26
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
CVE-2025-32429
Public exploit
Patch
CWE-89
Critical · CVSS 9.3
EPSS 34.9% (97th pct)2025-07-24
XWiki Rendering is vulnerable to RCE attacks when processing nested macros
CVE-2025-53836
Public exploit
Patch
CWE-863
Critical · CVSS 10.0
EPSS 5.5% (90th pct)2025-07-14
XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax
CVE-2025-53835
Public exploit
Patch
CWE-79
Critical · CVSS 9.1
EPSS 3.8% (88th pct)2025-07-14
XWiki does not require right warnings for notification displayer objects
CVE-2025-49587
Public exploit
Patch
CWE-357
Medium · CVSS 6.4
EPSS 0.6% (70th pct)2025-06-13
XWiki allows remote code execution through preview of XClass changes in AWM editor
CVE-2025-49586
Public exploit
Patch
CWE-863
High · CVSS 8.7
EPSS 9.2% (93th pct)2025-06-13
XWiki does not require right warnings for XClass definitions
CVE-2025-49585
Patch
CWE-357
High · CVSS 8.6
EPSS 0.6% (70th pct)2025-06-13
XWiki makes title of inaccessible pages available through the class property values REST API
CVE-2025-49584
Public exploit
Patch
CWE-201
High · CVSS 8.7
EPSS 0.1% (27th pct)2025-06-13
XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right
CVE-2025-49583
Public exploit
Patch
CWE-270
Medium · CVSS 5.1
EPSS 0.0% (14th pct)2025-06-13
XWiki's required right warnings for macros are incomplete
CVE-2025-49582
Patch
CWE-357
High · CVSS 8.6
EPSS 1.3% (80th pct)2025-06-13
XWiki allows remote code execution through default value of wiki macro wiki-type parameters
CVE-2025-49581
Patch
CWE-94
High · CVSS 8.7
EPSS 3.9% (88th pct)2025-06-13
XWiki allows privilege escalation through link refactoring
CVE-2025-49580
Public exploit
Patch
CWE-266
High · CVSS 8.5
EPSS 0.8% (74th pct)2025-06-13

Showing 30 of 242

xwiki xwiki-platform Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Fixed in

Common weakness types

Disclosure activity by year

Other xwiki products

Frequently asked questions

How many CVEs does xwiki xwiki-platform have?

How many xwiki xwiki-platform CVEs are in CISA KEV?

Are there public exploits for xwiki xwiki-platform vulnerabilities?

Which versions of xwiki xwiki-platform are affected?

What are the most common weakness types in xwiki xwiki-platform CVEs?

How many critical xwiki xwiki-platform vulnerabilities are there?

What is the average severity of xwiki xwiki-platform CVEs?

References

Track xwiki xwiki-platform vulnerabilities