Xwiki Security Vulnerabilities (CVEs)
Track 125 security vulnerabilities affecting Xwiki products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability in XWiki Platform allows attackers to inject malicious CSS through comments, which can transform the entire wiki interface into a c...
Feb 12, 2026This reflected XSS vulnerability in XWiki Platform allows attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers. If...
Jan 24, 2026CVE-2025-66474 is an HTML injection vulnerability in XWiki Rendering that allows authenticated users to execute arbitrary script macros, leading to re...
Dec 10, 2025XWiki REST API lacks request size limits, allowing attackers to request all wiki pages in a single call. This can cause excessive memory consumption l...
Dec 10, 2025This CVE describes a reflected cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious scripts into delet...
Dec 10, 2025CVE-2025-65036 is a critical vulnerability in XWiki Remote Macros that allows unauthenticated attackers to execute arbitrary code via Velocity templat...
Dec 5, 2025This vulnerability in XWiki Jetty package (XJetty) exposes a context that allows static access to any file in the webapp/ folder. Attackers can potent...
Dec 1, 2025This vulnerability allows users without view permissions to access Office attachment content via the view file macro in XWiki Remote Macros. It affect...
Nov 19, 2025CVE-2025-55727 is a critical remote code execution vulnerability in XWiki Remote Macros that allows attackers to execute arbitrary code on affected sy...
Sep 9, 2025XWiki Platform versions 6.1-milestone-2 through 16.10.6 expose configuration files via the webjars API, allowing attackers to access sensitive system ...
Sep 3, 2025Authenticated administrators in XWiki can inject malicious JavaScript into administration interface fields, which then executes persistently in visito...
Aug 20, 2025This vulnerability allows authenticated administrators in XWiki to inject malicious Apache Velocity templates through the Global Preferences Presentat...
Aug 20, 2025This CVE describes a critical SQL injection vulnerability in XWiki Platform that allows attackers to execute arbitrary SQL queries on Oracle databases...
Jul 26, 2025This CVE describes a critical SQL injection vulnerability in XWiki Platform that allows unauthenticated attackers to execute arbitrary SQL commands vi...
Jul 24, 2025This vulnerability in XWiki Rendering allows cross-site scripting (XSS) attacks through raw HTML blocks in the XHTML syntax. Users who can edit docume...
Jul 14, 2025CryptPad versions before 2025.3.0 have a critical 2FA bypass vulnerability. Attackers who obtain user credentials can access accounts even with 2FA en...
Jun 18, 2025This vulnerability in XWiki allows attackers to access page titles through the REST API without proper authorization. It affects XWiki installations w...
Jun 13, 2025This vulnerability allows any XWiki user with edit rights on an App Within Minutes application to escalate privileges to programming rights, leading t...
Jun 13, 2025XWiki's required rights analyzers for dangerous macros are incomplete, allowing attackers to hide malicious content by using non-lowercase parameters ...
Jun 13, 2025This vulnerability in XWiki allows users with edit rights on any page (including their own profile) to execute arbitrary code with programming rights ...
Jun 13, 2025This vulnerability allows authenticated XWiki users to execute arbitrary SQL queries on Oracle databases through unsanitized DBMS_XMLGEN and DBMS_XMLQ...
Jun 12, 2025A bug in XWiki's required rights enforcement allows users with edit rights to set programming rights as required rights on documents. If a user with p...
May 21, 2025This vulnerability allows any user with access to XWiki pages to switch authentication methods, potentially disrupting authentication systems. It affe...
Apr 30, 2025This vulnerability in XWiki allows attackers to gain programming rights through a privilege escalation attack. An attacker with edit rights can create...
Apr 30, 2025This vulnerability allows remote unauthenticated attackers to perform blind SQL injection on XWiki instances, potentially executing arbitrary SQL stat...
Apr 23, 2025XWiki Platform subwikis with 'Prevent unregistered users to view pages' or similar privacy settings are vulnerable to unauthorized access through REST...
Mar 19, 2025XWiki Platform REST endpoints improperly list protected pages even when users lack view permissions. This information disclosure vulnerability affects...
Mar 19, 2025This vulnerability allows any user to exploit the WikiManager REST API in XWiki Platform to create a new wiki and gain administrator privileges. This ...
Mar 19, 2025In XWiki Platform, users with only edit rights can join realtime editing sessions and insert script rendering macros that execute for users with scrip...
Jan 14, 2025This vulnerability allows any authenticated user in XWiki Platform to execute arbitrary code remotely by adding malicious WikiMacroClass instances to ...
Dec 12, 2024This vulnerability allows any XWiki user with script rights to execute arbitrary remote code by adding XWiki.ConfigurableClass instances to pages. Thi...
Dec 12, 2024This vulnerability allows any authenticated user on the main XWiki wiki to execute scheduling operations on subwikis without proper authorization. It ...
Dec 12, 2024This CVE describes an SQL injection vulnerability in XWiki Platform's getdocument.vm template where unsanitized request parameters allow HQL injection...
Dec 12, 2024CVE-2024-52300 is a cross-site scripting (XSS) vulnerability in the macro-pdfviewer component for XWiki that allows attackers to inject malicious scri...
Nov 13, 2024CVE-2024-52299 is an authentication bypass vulnerability in the macro-pdfviewer component for XWiki that allows any user with view rights on XWiki.PDF...
Nov 13, 2024This vulnerability in XWiki Platform allows any authenticated user to manipulate another user's notification filter preferences by knowing the filter ...
Sep 18, 2024This vulnerability allows unprivileged users to trick administrators into editing malicious content in XWiki's WYSIWYG editor, executing arbitrary cod...
Aug 19, 2024This CVE describes a critical remote code execution vulnerability in Pro Macros for XWiki. Attackers with view rights on specific pages or edit/commen...
Aug 12, 2024This XWiki vulnerability allows attackers to inject and execute JavaScript code in the context of higher-privileged users by creating edit conflicts. ...
Jul 31, 2024This vulnerability in XWiki Platform allows users with view-only permissions on a page to delete and replace it with new content, bypassing edit and d...
Jul 31, 2024This vulnerability allows any user with edit rights on any XWiki page to perform arbitrary remote code execution by adding specific objects to their u...
Jul 31, 2024This vulnerability in XWiki Platform allows privilege escalation through macro execution context manipulation. When using the include macro, content e...
Jun 24, 2024This vulnerability in XWiki Platform allows privilege escalation through improper access control. When an administrator disables a user account, the u...
Jun 20, 2024CVE-2024-31997 is a critical remote code execution vulnerability in XWiki Platform where UI extension parameters are improperly executed as Velocity c...
Apr 10, 2024This vulnerability allows remote code execution in XWiki Platform when the realtime editor is installed. An attacker can craft a malicious URL or imag...
Apr 10, 2024This vulnerability allows remote code execution on XWiki servers through crafted document references. Attackers can execute arbitrary code when an adm...
Apr 10, 2024This vulnerability allows remote code execution in XWiki Platform via PDF export templates. Attackers can execute arbitrary code on affected XWiki ins...
Apr 10, 2024This vulnerability in XWiki Platform allows users with edit rights to modify translations without proper authorization, bypassing script or admin righ...
Apr 10, 2024This vulnerability allows any user with edit rights on any XWiki page to execute arbitrary code on the server by adding a malicious XWiki.SearchSugges...
Apr 10, 2024CVE-2024-21648 is an authorization bypass vulnerability in XWiki Platform where the rollback action lacks proper permission checks. This allows authen...
Jan 9, 2024Why Monitor Xwiki Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 125+ known vulnerabilities affecting Xwiki products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Xwiki packages in under 60 seconds. No agents required - completely agentless scanning that works across Xwiki deployments.
Free vulnerability database: Access detailed information about every Xwiki CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Xwiki CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
