CVE-2026-40104
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| xwiki | org.xwiki.platform:xwiki-platform-oldcore | >= 1.8-rc-1, < 16.10.16 | affected |
| xwiki | org.xwiki.platform:xwiki-platform-oldcore | >= 17.0.0-rc-1, < 17.4.8 | affected |
| xwiki | org.xwiki.platform:xwiki-platform-oldcore | >= 17.5.0-rc-1, < 17.10.1 | affected |
| xwiki | org.xwiki.platform:xwiki-platform-legacy-oldcore | >= 1.8-rc-1, < 16.10.16 | affected |
| xwiki | org.xwiki.platform:xwiki-platform-legacy-oldcore | >= 17.0.0-rc-1, < 17.4.8 | affected |
| xwiki | org.xwiki.platform:xwiki-platform-legacy-oldcore | >= 17.5.0-rc-1, < 17.10.1 | affected |
Weaknesses
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g
- https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7
- https://jira.xwiki.org/browse/XWIKI-23550
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.