XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality
Summary
| CVE | CVE-2026-40105 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-15 04:17:48 UTC |
| Updated | 2026-04-17 15:38:09 UTC |
| Description | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR. |
Risk And Classification
Primary CVSS: v4.0 6.5 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000390000 probability, percentile 0.114640000 (date 2026-04-20)
Problem Types: CWE-80 | CWE-80 CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.5 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | DECLARED | 6.5 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
PassiveConfidentiality
NoneIntegrity
NoneAvailability
NoneSub Conf.
HighSub Integrity
HighSub Availability
HighCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Xwiki | Xwiki-platform | affected >= 10.4-rc-1, < 16.10.16 | Not specified |
| CNA | Xwiki | Xwiki-platform | affected >= 17.0.0-rc-1, < 17.4.8 | Not specified |
| CNA | Xwiki | Xwiki-platform | affected >= 17.5.0-rc-1, < 17.10.1 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c | [email protected] | github.com | |
| github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd3... | [email protected] | github.com | |
| jira.xwiki.org/browse/XWIKI-23472 | [email protected] | jira.xwiki.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.