| CVE-2026-40104 |
unknown |
— |
— |
1mo ago |
XWiki's REST APIs can list all pages/spaces, leading to unavailability |
|
| CVE-2026-33229 |
unknown |
— |
— |
2mo ago |
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API |
|
| CVE-2025-54125 |
unknown |
— |
— |
10mo ago |
XWiki exposes passwords and emails stored in fields not named password/email in xml.vm |
|
| CVE-2025-54124 |
unknown |
— |
— |
10mo ago |
XWiki leaks password hashes and other accessible password properties |
|
| CVE-2025-54385 |
unknown |
— |
— |
10mo ago |
XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API |
|
| CVE-2025-49586 |
unknown |
— |
— |
1y ago |
XWiki allows remote code execution through preview of XClass changes in AWM editor |
|
| CVE-2024-56158 |
unknown |
— |
— |
1y ago |
XWiki allows SQL injection in query endpoint of REST API with Oracle |
|
| CVE-2025-32968 |
unknown |
— |
— |
1y ago |
org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API |
|
| CVE-2024-43400 |
unknown |
— |
— |
2y ago |
XWiki Platform allows XSS through XClass name in string properties |
|
| CVE-2024-37898 |
unknown |
— |
— |
2y ago |
XWiki Platform vulnerable to document deletion and overwrite from edit |
|
| CVE-2024-37899 |
unknown |
— |
— |
2y ago |
XWiki Platform allows remote code execution from user account |
|
| CVE-2024-31987 |
unknown |
— |
— |
2y ago |
XWiki Platform remote code execution from account via custom skins support |
|
| CVE-2024-31981 |
unknown |
— |
— |
2y ago |
XWiki Platform: Privilege escalation (PR) from user registration through PDFClass |
|
| CVE-2024-31464 |
unknown |
— |
— |
2y ago |
XWiki Platform: Password hash might be leaked by diff once the xobject holding them is deleted |
|
| CVE-2024-21648 |
unknown |
— |
— |
2y ago |
XWiki has no right protection on rollback action |
|
| CVE-2023-46243 |
unknown |
— |
— |
3y ago |
XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action |
|
| CVE-2023-46242 |
unknown |
— |
— |
3y ago |
XWiki Platform vulnerable to remote code execution via the edit action because it lacks CSRF token |
|
| CVE-2023-37911 |
unknown |
— |
— |
3y ago |
org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents |
|
| CVE-2023-41046 |
unknown |
— |
— |
3y ago |
Velocity execution without script right through VelocityCode and VelocityWiki property |
|
| CVE-2023-40572 |
unknown |
— |
— |
3y ago |
XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action |
|
| CVE-2023-36468 |
unknown |
— |
— |
3y ago |
Upgrading doesn't prevent exploiting vulnerable XWiki documents |
|
| CVE-2023-35157 |
unknown |
— |
— |
3y ago |
XWiki Platform vulnerable to reflected cross-site scripting via delattachment action |
|
| CVE-2023-32068 |
unknown |
— |
— |
3y ago |
org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability |
|
| CVE-2023-29526 |
unknown |
— |
— |
3y ago |
XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode |
|
| CVE-2023-29523 |
unknown |
— |
— |
3y ago |
XWiki Platform vulnerable to code injection in display method used in user profiles |
|
| CVE-2023-29204 |
unknown |
— |
— |
3y ago |
org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability |
|
| CVE-2023-29507 |
unknown |
— |
— |
3y ago |
org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors |
|
| CVE-2023-29208 |
unknown |
— |
— |
3y ago |
org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents |
|
| CVE-2023-26470 |
unknown |
— |
— |
3y ago |
XWiki Platform subject to Uncontrolled Resource Consumption |
|
| CVE-2023-26474 |
unknown |
— |
— |
3y ago |
XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author |
|
| CVE-2022-41932 |
unknown |
— |
— |
4y ago |
Creation of new database tables through login form on PostgreSQL |
|
| CVE-2022-41929 |
unknown |
— |
— |
4y ago |
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore |
|
| CVE-2022-31166 |
unknown |
— |
— |
4y ago |
XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups |
|
| CVE-2022-36090 |
unknown |
— |
— |
4y ago |
XWiki Platform Improper Authorization check for inactive users |
|
| CVE-2022-36092 |
unknown |
— |
— |
4y ago |
XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action |
|
| CVE-2022-29253 |
unknown |
— |
— |
4y ago |
Path Traversal in XWiki Platform |
|
| CVE-2006-7223 |
unknown |
— |
— |
4y ago |
XWiki Remote Code Execution |
|
| CVE-2021-43841 |
unknown |
— |
— |
4y ago |
Cross-site Scripting by SVG upload in xwiki-platform |
|
| CVE-2022-23621 |
unknown |
— |
— |
4y ago |
Missing authorization in xwiki-platform |
|
| CVE-2022-23618 |
unknown |
— |
— |
4y ago |
URL Redirection to Untrusted Site ('Open Redirect') |
|
| CVE-2022-23617 |
unknown |
— |
— |
4y ago |
Missing authorization in xwiki-platform |
|
| CVE-2022-23615 |
unknown |
— |
— |
4y ago |
Partial authorization bypass on document save in xwiki-platform |
|
| CVE-2021-29459 |
unknown |
— |
— |
5y ago |
XSS Cross Site Scripting |
|
| CVE-2020-15252 |
unknown |
— |
— |
6y ago |
RCE in XWiki |
|
| CVE-2020-15171 |
unknown |
— |
— |
6y ago |
Users with SCRIPT right can execute arbitrary code in XWiki |
|