CVE-2026-23734

Summary

XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.

Affected Software

VendorProductVersion RangeStatus
xwikixwiki-commons>= 4.2-milestone-2, < 16.10.17affected
xwikixwiki-commons>= 17.0.0-rc-1, < 17.4.9affected
xwikixwiki-commons>= 17.5.0, < 17.10.3affected
xwikixwiki-commons>= 18.0.0-rc-1, < 18.1.0-rc-1affected

Weaknesses

  • CWE-23: CWE-23: Relative Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References