Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 maven packages depend on org.xwiki.commons:xwiki-commons-classloader-api (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.2-milestone-2.
DescriptionGitHub Advisory
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
AnalysisAI
Path traversal in XWiki Platform allows unauthenticated remote attackers to read arbitrary files on the server, including sensitive configuration like WEB-INF/xwiki.cfg, by abusing the resource parameter of the ssx and jsx endpoints with leading-slash prefixes. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege exploitation with high impact to confidentiality, integrity, and availability of the vulnerable component. No public exploit identified at time of analysis, though the GitHub Security Advisory includes a working URL pattern that effectively demonstrates the issue.
Technical ContextAI
XWiki is a Java-based enterprise wiki platform; the flaw resides in xwiki-commons, specifically in ClassLoaderUtils.resolveResourceName within the classloader-api module. The root cause maps to CWE-23 (Relative Path Traversal): the code passed user-supplied resource paths into Paths.get(fullPath).normalize() without stripping leading slashes. On Tomcat (XWiki's typical servlet container) leading slashes are ignored when resolving classpath resources, but Java's Path.normalize() treats them as absolute, so '/../..' sequences traversed above the intended classloader root. The ssx (Skin Style Sheet eXtension) and jsx (JavaScript eXtension) servlets, which serve dynamic resources, exposed this primitive to unauthenticated HTTP callers, letting them read WEB-INF/ and other internal files. The patch normalizes by stripping leading '/' characters before calling Paths.normalize, and the new test cases assert that inputs like '/..' and '////..' now throw IllegalArgumentException.
RemediationAI
Vendor-released patch: upgrade to XWiki 18.1.0-rc-1, 17.10.3, 17.4.9, or 16.10.17 depending on your release line, as referenced in the GitHub Security Advisory GHSA-xq3r-2qv5-vqqm and applied in commit a979cafd89f6a9c9c0b9ab19744d672df64429bf. If immediate patching is not feasible, place a reverse proxy (nginx/Apache/WAF) rule in front of XWiki that rejects requests to /bin/ssx/* and /bin/jsx/* containing a resource query parameter whose decoded value begins with '/' or contains '..' sequences; note this will break legitimate skin/JS extensions that genuinely rely on those endpoints, so test on a staging instance first. Additionally, restrict network access to the XWiki application so only trusted users can reach it until the upgrade is rolled out, and rotate any secrets stored in WEB-INF/xwiki.cfg, hibernate.cfg.xml, or similar files that may have been exposed.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31152
GHSA-xq3r-2qv5-vqqm