Which versions of XWiki Platform are affected by CVE-2026-33137?

XWiki Platform contains a critical vulnerability (CVE-2026-33137, CVSS 9.3) that allows unauthenticated remote attackers to create or modify arbitrary documents across all affected wiki instances.. A patch is available.

How to fix or mitigate CVE-2026-33137?

Within 24 hours: Identify all instances of XWiki Platform and document current versions in use. Within 7 days: Upgrade to patched versions (16.10.17, 17.4.9, 17.10.3, 18.0.1, or 18.1.0-rc-1 depending on current branch). Within 30 days: Conduct audit of document changes during the vulnerability window and verify all instances are running patched versions; enable audit logging for future wiki modifications.

XWiki Platform CVE-2026-33137

Q: What is the CVSS score of CVE-2026-33137?

CVE-2026-33137 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-31157 CRITICAL

Missing Authorization (CWE-862)

2026-05-20 GitHub_M

GHSA-qrvh-r3f2-9h4r

Authentication Bypass

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 20, 2026 - 20:04 vuln.today

Analysis Generated

May 20, 2026 - 20:04 vuln.today

Patch available

May 20, 2026 - 20:02 EUVD

DescriptionNVD

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

AnalysisAI

{wikiName} REST endpoint, which was missing authorization checks. Affects all releases prior to 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1. …

RemediationAI

Within 24 hours: Identify all instances of XWiki Platform and document current versions in use. Within 7 days: Upgrade to patched versions (16.10.17, 17.4.9, 17.10.3, 18.0.1, or 18.1.0-rc-1 depending on current branch). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33137 vulnerability details – vuln.today

Back

XWiki Platform CVE-2026-33137

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

XWiki Platform CVE-2026-33137

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code