XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages

CVE-2026-24128 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Impact

A reflected cross site scripting (XSS) vulnerability in XWiki allows an attacker to execute arbitrary actions in XWiki with the rights of the victim if the attacker manages to trick a victim into visiting a crafted URL. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation.

Patches

This vulnerability has been patched in XWiki 17.8.0RC1, 17.4.5 and 16.10.12.

Workarounds

The patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.

References

  • https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf
  • https://jira.xwiki.org/browse/XWIKI-23462

Attribution

We thank Mike Cole @mikecole-mg for discovering and reporting this vulnerability.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-01-23 16:28:44 UTC
Updated
2026-01-28 04:42:42 UTC
GitHub reviewed
2026-01-23 16:28:44 UTC
NVD published
2026-01-23

EPSS Score

Score Percentile
0.07% 22.17%

CVSS Scores

Base score Version Severity Vector
6.5 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:P)
A user has to participate (for example click/open/approve).
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:H)
High confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:H)
High integrity impact on subsequent systems.
Subsequent system availability impact (SA:H)
High availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-wvqx-m5px-6cmp ↗
CVE CVE-2026-24128 ↗

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Credits

  • mikecole-mg (reporter)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.xwiki.platform:xwiki-platform-web-templates >= 7.0-milestone-2, < 16.10.12 16.10.12
maven org.xwiki.platform:xwiki-platform-web-templates >= 17.0.0-rc-1, < 17.4.5 17.4.5
maven org.xwiki.platform:xwiki-platform-web-templates >= 17.5.0-rc-1, < 17.8.0-rc-1 17.8.0-rc-1

References

cvelogic Threat Intelligence