XWiki CVE-2026-34151
HIGHSeverity by source
Remote unauthenticated request to the public skin endpoint (AV:N/PR:N/UI:N) with reliable in-webapp file read gives AC:L and C:H; no integrity or availability impact, scope unchanged within the app process.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
1DescriptionCVE.org
Impact
With Jetty 12+ a user can craft a URL to access any resource the Jetty instance is allowed to access.
For example http://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd allows downloading the content of the /etc/passwd file, provided Jetty is allowed to read it, and if your XWiki webapp is located exactly 5 levels below / (like /var/lib/jetty/webapps/xwiki, which is the case in the docker image, for example).
Another example which does not go out of the XWiki webapp, but it's still a vulnerability (since users should not be allowed to access Hibernate or XWiki configuration files) is http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg.
Patches
This vulnerability has been patched in XWiki 17.10.5 and 18.2.0.
Workarounds
A possible workaround is to use a different application server, like Jetty < 12 (in the case of XWiki < 17) or Tomcat, which don't seem to be impacted.
Resources
- https://jira.xwiki.org/browse/XWIKI-24075
- https://jira.xwiki.org/browse/XCOMMONS-3594
For more information
If there are any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Send an email to the [Security Mailing List](mailto:security@xwiki.org)
Attribution
Lê Ngọc Khoa reported the vulnerability.
AnalysisAI
Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be XWiki (before 17.10.5 / 18.2.0) served by Jetty version 12 or later - Tomcat and Jetty <12 are not affected, which is the single strongest limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector, EPSS score, or KEV entry was provided, so quantitative risk signals are absent and must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers an internet-facing XWiki instance running the Docker image (Jetty 12), then requests http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg to retrieve the XWiki and Hibernate configuration, including database credentials. Because the advisory publishes the exact working URLs, no exploit development is needed; the attacker can also attempt the deeper ..%252f chain to /etc/passwd where the webapp depth matches. |
| Remediation | Vendor-released patch: XWiki 17.10.5 and 18.2.0 - upgrade to one of these fixed versions as the primary remediation (advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qj4x-9g63-25g6; upstream fix: https://github.com/xwiki/xwiki-commons/pull/1675; tracking: https://jira.xwiki.org/browse/XCOMMONS-3594 and https://jira.xwiki.org/browse/XWIKI-24075). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all XWiki instances, confirm Jetty version and XWiki version to determine exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and
Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely
Same weakness CWE-24 – Path Traversal: '../filedir'
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qj4x-9g63-25g6