Skip to main content

XWiki Platform CVE-2026-23734

| EUVDEUVD-2026-31152 CRITICAL
Relative Path Traversal (CWE-23)
2026-05-20 GitHub_M GHSA-xq3r-2qv5-vqqm
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 20, 2026 - 20:04 vuln.today
Analysis Generated
May 20, 2026 - 20:04 vuln.today
Patch available
May 20, 2026 - 20:02 EUVD

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on org.xwiki.commons:xwiki-commons-classloader-api (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2-milestone-2.

DescriptionGitHub Advisory

XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.

AnalysisAI

Path traversal in XWiki Platform allows unauthenticated remote attackers to read arbitrary files on the server, including sensitive configuration like WEB-INF/xwiki.cfg, by abusing the resource parameter of the ssx and jsx endpoints with leading-slash prefixes. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege exploitation with high impact to confidentiality, integrity, and availability of the vulnerable component. No public exploit identified at time of analysis, though the GitHub Security Advisory includes a working URL pattern that effectively demonstrates the issue.

Technical ContextAI

XWiki is a Java-based enterprise wiki platform; the flaw resides in xwiki-commons, specifically in ClassLoaderUtils.resolveResourceName within the classloader-api module. The root cause maps to CWE-23 (Relative Path Traversal): the code passed user-supplied resource paths into Paths.get(fullPath).normalize() without stripping leading slashes. On Tomcat (XWiki's typical servlet container) leading slashes are ignored when resolving classpath resources, but Java's Path.normalize() treats them as absolute, so '/../..' sequences traversed above the intended classloader root. The ssx (Skin Style Sheet eXtension) and jsx (JavaScript eXtension) servlets, which serve dynamic resources, exposed this primitive to unauthenticated HTTP callers, letting them read WEB-INF/ and other internal files. The patch normalizes by stripping leading '/' characters before calling Paths.normalize, and the new test cases assert that inputs like '/..' and '////..' now throw IllegalArgumentException.

RemediationAI

Vendor-released patch: upgrade to XWiki 18.1.0-rc-1, 17.10.3, 17.4.9, or 16.10.17 depending on your release line, as referenced in the GitHub Security Advisory GHSA-xq3r-2qv5-vqqm and applied in commit a979cafd89f6a9c9c0b9ab19744d672df64429bf. If immediate patching is not feasible, place a reverse proxy (nginx/Apache/WAF) rule in front of XWiki that rejects requests to /bin/ssx/* and /bin/jsx/* containing a resource query parameter whose decoded value begins with '/' or contains '..' sequences; note this will break legitimate skin/JS extensions that genuinely rely on those endpoints, so test on a staging instance first. Additionally, restrict network access to the XWiki application so only trusted users can reach it until the upgrade is rolled out, and rotate any secrets stored in WEB-INF/xwiki.cfg, hibernate.cfg.xml, or similar files that may have been exposed.

Share

CVE-2026-23734 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy