{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40105", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.536Z", "datePublished": "2026-04-15T00:07:23.150Z", "dateUpdated": "2026-04-15T00:07:23.150Z"}, "containers": {"cna": {"title": "XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c"}, {"name": "https://jira.xwiki.org/browse/XWIKI-23472", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-23472"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 10.4-rc-1, < 16.10.16", "status": "affected"}, {"version": ">= 17.0.0-rc-1, < 17.4.8", "status": "affected"}, {"version": ">= 17.5.0-rc-1, < 17.10.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T00:07:23.150Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR."}], "source": {"advisory": "GHSA-w4fj-87j5-f25c", "discovery": "UNKNOWN"}}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.4-rc-1,16.10.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.0.0-rc-1,17.4.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.5.0-rc-1,17.10.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "xwiki-platform", "source": "cna", "vendor": "xwiki"}, "product": "xwiki-platform", "vendor": "xwiki"}], "analysis": {"en": {"generated_at": "2026-04-15T02:21:54.541587+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest XWiki Platform release that includes the fix (any version after 17.10.0).", "If immediate upgrade is not possible, manually patch the file templates/changesdoc.vm in the deployed WAR to sanitize or remove the vulnerable rendering logic as described in the advisory.", "Limit access to the page history compare functionality or require administrative login so that normal users cannot trigger the vulnerable view."], "summary": {"action": "Immediate Patch", "impact": "Client\u2011side execution via reflected XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts only XWiki Platform, specifically the vendor product xwiki-platform. Affected releases include 10.4\u2011rc\u20111 through 16.10.15, 17.0.0\u2011rc\u20111 through 17.4.7, and 17.5.0\u2011rc\u20111 through 17.10.0. All of these versions expose the vulnerable comparison page; newer releases beyond 17.10.0 contain the fix.", "description_and_impact": "XWiki Platform versions from 10.4\u2011rc\u20111 to 17.10.0 contain a reflected cross\u2011site scripting flaw in the page history compare view. An attacker can craft a URL that injects malicious JavaScript when a comparison is rendered, allowing the attacker to run arbitrary code in the victim\u2019s browser. If the victim is an administrator, the malicious script can affect the entire XWiki instance, exposing confidential data, altering site content, or causing denial of service within that hosting environment. This is a typical CWE\u201180 vulnerability, where unsanitized user\u2011supplied input is reflected in the response.", "risk_and_exploitability": "The CVSS score is 6.5, representing a medium severity. EPSS data is missing, so no automated estimation of current exploit likelihood is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred as an unauthenticated or authenticated user clicking a crafted link, with the attacker needing administrative privileges to fully exploit the vulnerability. The flaw is a standard reflected XSS, meaning exploitation typically requires user interaction, but once an admin is affected it can compromise the whole instance."}}}}, "created": "2026-04-15T13:48:23.609273+00:00", "updated": "2026-04-15T13:49:14.873490+00:00", "vendors": ["xwiki", "xwiki$PRODUCT$xwiki-platform"]}