GHSA-q9hg-9qj2-mxf9 · Severity: critical · Ecosystem: maven — XWiki Platform vulnerable to cross-site scripting via xcontinue parameter in previewactions template
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by using URL such as: > <hostname>/xwiki/bin/get/FlamingoThemes/Cerulean xpage=xpart&vm=previewactions.vm&xcontinue=javascript:alert(document.domain). This vulnerability exists since XWiki 6.1-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Conclusion & alert: CVE-2023-35162 is rated High Risk (67.3/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 2.40%). Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-21 | 2.16% | 2.40% | +0.24% |
| 2 | 2026-06-15 | 15.56% | 2.16% | -13.40% |
| 3 | 2026-03-16 | — | 15.56% | — |
Full EPSS history (27 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.6 | 3.1 | CRITICAL |
|
2.8 | 6.0 | [email protected] |
| 6.1 | 3.1 | MEDIUM |
|
2.8 | 2.7 | [email protected] |
GHSA-q9hg-9qj2-mxf9 · Severity: critical · Ecosystem: maven — XWiki Platform vulnerable to cross-site scripting via xcontinue parameter in previewactions template
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| xwiki | xwiki | >= 6.2, < 14.10.5 | cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* |
| xwiki | xwiki | 6.1 | cpe:2.3:a:xwiki:xwiki:6.1:-:*:*:*:*:*:* |
| xwiki | xwiki | 6.1 | cpe:2.3:a:xwiki:xwiki:6.1:milestone1:*:*:*:*:*:* |
| xwiki | xwiki | 6.1 | cpe:2.3:a:xwiki:xwiki:6.1:milestone2:*:*:*:*:*:* |
| xwiki | xwiki | 6.1 | cpe:2.3:a:xwiki:xwiki:6.1:rc1:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-platform/commit/9f01166b1a8ee9639666099eb5040302df067e4d | Patch Technical Description Vendor Advisory |
| https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q9hg-9qj2-mxf9 | Vendor Advisory |
| https://jira.xwiki.org/browse/XWIKI-20342 | Issue Tracking Permissions Required Vendor Advisory |
| https://jira.xwiki.org/browse/XWIKI-20583 | Issue Tracking Patch Vendor Advisory |