Skip to main content

Xwiki CVE-2024-56158

| EUVDEUVD-2024-54677 CRITICAL
SQL Injection (CWE-89)
2025-06-12 security-advisories@github.com GHSA-prwh-7838-xf82
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:20 euvd
EUVD-2024-54677
Analysis Generated
Mar 14, 2026 - 21:20 vuln.today
CVE Published
Jun 12, 2025 - 15:15 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.

AnalysisAI

Critical SQL injection vulnerability in XWiki that allows unauthenticated remote attackers to execute arbitrary SQL queries against Oracle databases by exploiting insufficient validation of native SQL functions (DBMS_XMLGEN, DBMS_XMLQUERY) in Hibernate query processing. The vulnerability affects XWiki versions before 16.10.2, 16.4.7, and 15.10.16, with a CVSS score of 9.8 indicating critical severity and complete compromise of confidentiality, integrity, and availability. This is a pre-authentication remote code execution vector with no user interaction required.

Technical ContextAI

The vulnerability exists at the intersection of XWiki's query validation layer and Hibernate ORM's native function support. XWiki uses Hibernate for database abstraction, which permits native SQL functions in HQL (Hibernate Query Language) queries. The XWiki query validator fails to properly sanitize or blocklist Oracle-specific functions like DBMS_XMLGEN and DBMS_XMLQUERY, which are privileged PL/SQL packages that can be abused to execute arbitrary SQL. This is rooted in CWE-89 (SQL Injection) where user-controllable input reaches SQL execution contexts without proper parameterization or validation. The root cause is inadequate input validation combined with overly permissive Hibernate function resolution, allowing attackers to bypass intended security controls by leveraging database-native capabilities that the validator does not account for.

RemediationAI

Immediate patching is required: upgrade to XWiki 16.10.2, 16.4.7, or 15.10.16 depending on your current version line. For version 15.x: upgrade to 15.10.16 or later. For version 16.4.x: upgrade to 16.4.7 or later. For version 16.10.x: upgrade to 16.10.2 or later. Interim mitigations pending patch deployment: (1) Restrict network access to XWiki instances using firewall rules or WAF rules that block requests containing suspicious SQL function names (DBMS_XMLGEN, DBMS_XMLQUERY); (2) implement database-level access controls to limit SQL execution capabilities of the XWiki database user account; (3) disable or restrict use of Hibernate native query features if not required by application logic; (4) monitor database logs for suspicious function calls. However, these mitigations are not a substitute for patching and should only be temporary measures.

More in Xwiki

View all
CVE-2025-24893 CRITICAL POC
9.8 Feb 20

XWiki Platform allows unauthenticated remote code execution through the SolrSearch endpoint, enabling guests to execute

CVE-2024-21650 CRITICAL POC
10.0 Jan 08

XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the u

CVE-2025-32969 CRITICAL POC
9.3 Apr 23

XWiki is a generic wiki platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut

CVE-2023-27479 CRITICAL POC
9.9 Mar 07

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

CVE-2024-31996 CRITICAL POC
9.8 Apr 10

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl

CVE-2024-31982 CRITICAL POC
9.8 Apr 10

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl

CVE-2023-46731 CRITICAL POC
9.8 Nov 06

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

CVE-2023-26477 CRITICAL POC
9.8 Mar 02

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl

CVE-2025-49586 HIGH POC
8.8 Jun 13

A remote code execution vulnerability in XWiki (CVSS 8.8). Risk factors: public PoC available. Vendor patch is available

CVE-2025-55747 CRITICAL POC
9.3 Sep 03

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

CVE-2025-46558 CRITICAL POC
9.0 Apr 30

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown.

CVE-2023-45136 CRITICAL POC
9.6 Oct 25

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

Share

CVE-2024-56158 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy