GHSA-vxf7-mx22-jr24 · Severity: critical · Ecosystem: maven — org.xwiki.platform:xwiki-platform-rendering-xwiki vulnerable to stored cross-site scripting via HTML and raw macro
XWiki Commons are technical libraries common to several other top level XWiki projects. The HTML macro does not systematically perform a proper neutralization of script-related html tags. As a result, any user able to use the html macro in XWiki, is able to introduce an XSS attack. This can be particularly dangerous since in a standard wiki, any user is able to use the html macro directly in their own user profile page. The problem has been patched in XWiki 14.8RC1. The patch involves the HTML macros and are systematically cleaned up whenever the user does not have the script correct.
Conclusion & alert: CVE-2023-29205 is rated High Exploit Risk (68.3/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.59%). Core evidence: 2 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 2.08% | 0.59% | -1.50% |
| 2 | 2026-04-21 | 1.92% | 2.08% | +0.16% |
| 3 | 2026-04-18 | — | 1.92% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.9 | 3.1 | CRITICAL |
|
3.1 | 6.0 | [email protected] |
| 5.4 | 3.1 | MEDIUM |
|
2.3 | 2.7 | [email protected] |
GHSA-vxf7-mx22-jr24 · Severity: critical · Ecosystem: maven — org.xwiki.platform:xwiki-platform-rendering-xwiki vulnerable to stored cross-site scripting via HTML and raw macro
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vxf7-mx22-jr24 | Exploit Patch Vendor Advisory |
| https://jira.xwiki.org/browse/XWIKI-18568 | Exploit Issue Tracking |