Login Sign Up

CVE-2026-24128

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This reflected XSS vulnerability in XWiki Platform allows attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers. If victims have administrative or programming rights, attackers can gain full control of the XWiki installation. Affected versions include 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, 17.5.0-rc-1 through 17.7.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All XWiki installations using affected versions are vulnerable by default.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki Rendering by Xwiki

View all CVEs affecting Xwiki Rendering →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of XWiki installation with administrative privileges, allowing data theft, system takeover, and lateral movement.

🟠

Likely Case

Session hijacking, credential theft, and privilege escalation for authenticated users.

🟢

If Mitigated

Limited impact if victims have minimal privileges and proper input validation is enforced elsewhere.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS vulnerabilities are commonly weaponized. Attack requires victim to click malicious link.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.10.12, 17.4.5, 17.8.0-rc-1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp

Restart Required: No

Instructions:

1. Upgrade to patched version: 16.10.12, 17.4.5, or 17.8.0-rc-1. 2. Apply manual patch to templates/logging_macros.vm if upgrading not possible.

🔧 Temporary Workarounds

Manual template patch

all

Apply single-line fix to templates/logging_macros.vm file as shown in GitHub commit.

Edit templates/logging_macros.vm and apply fix from: https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf

🧯 If You Can't Patch

  • Implement WAF rules to block XSS payloads in URLs
  • Restrict user privileges to minimize impact if exploited

🔍 How to Verify

Check if Vulnerable:

Check XWiki version against affected ranges. Test for XSS in logging templates.

Check Version:

Check XWiki administration panel or xwiki.cfg file for version.

Verify Fix Applied:

Verify version is 16.10.12, 17.4.5, or 17.8.0-rc-1+. Test that XSS payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL parameters with script tags or JavaScript in access logs
  • Multiple failed XSS attempts

Network Indicators:

  • HTTP requests containing XSS payloads in URL parameters

SIEM Query:

url:*script* OR url:*javascript* OR url:*onerror* OR url:*onload*

📊 Metadata

CVE ID: CVE-2026-24128
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.03% exploit probability (9.1th percentile)
Published: January 24, 2026
Last Updated: February 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24128, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)