Skip to main content

XWiki CVE-2026-34151

HIGH
Path Traversal: '../filedir' (CWE-24)
2026-07-07 https://github.com/xwiki/xwiki-platform GHSA-qj4x-9g63-25g6
Share

Severity by source

vuln.today AI
7.5 HIGH

Remote unauthenticated request to the public skin endpoint (AV:N/PR:N/UI:N) with reliable in-webapp file read gives AC:L and C:H; no integrity or availability impact, scope unchanged within the app process.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 13:35 vuln.today

DescriptionCVE.org

Impact

With Jetty 12+ a user can craft a URL to access any resource the Jetty instance is allowed to access.

For example http://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd allows downloading the content of the /etc/passwd file, provided Jetty is allowed to read it, and if your XWiki webapp is located exactly 5 levels below / (like /var/lib/jetty/webapps/xwiki, which is the case in the docker image, for example).

Another example which does not go out of the XWiki webapp, but it's still a vulnerability (since users should not be allowed to access Hibernate or XWiki configuration files) is http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg.

Patches

This vulnerability has been patched in XWiki 17.10.5 and 18.2.0.

Workarounds

A possible workaround is to use a different application server, like Jetty < 12 (in the case of XWiki < 17) or Tomcat, which don't seem to be impacted.

Resources

  • https://jira.xwiki.org/browse/XWIKI-24075
  • https://jira.xwiki.org/browse/XCOMMONS-3594

For more information

If there are any questions or comments about this advisory:

  • Open an issue in Jira XWiki.org
  • Send an email to the [Security Mailing List](mailto:security@xwiki.org)

Attribution

Lê Ngọc Khoa reported the vulnerability.

AnalysisAI

Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate XWiki-on-Jetty-12 host
Delivery
Craft double-encoded ../ skin URL
Exploit
Bypass path normalization in resource resolver
Execution
Read config or OS file
Impact
Exfiltrate credentials and secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be XWiki (before 17.10.5 / 18.2.0) served by Jetty version 12 or later - Tomcat and Jetty <12 are not affected, which is the single strongest limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector, EPSS score, or KEV entry was provided, so quantitative risk signals are absent and must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers an internet-facing XWiki instance running the Docker image (Jetty 12), then requests http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg to retrieve the XWiki and Hibernate configuration, including database credentials. Because the advisory publishes the exact working URLs, no exploit development is needed; the attacker can also attempt the deeper ..%252f chain to /etc/passwd where the webapp depth matches.
Remediation Vendor-released patch: XWiki 17.10.5 and 18.2.0 - upgrade to one of these fixed versions as the primary remediation (advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qj4x-9g63-25g6; upstream fix: https://github.com/xwiki/xwiki-commons/pull/1675; tracking: https://jira.xwiki.org/browse/XCOMMONS-3594 and https://jira.xwiki.org/browse/XWIKI-24075). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all XWiki instances, confirm Jetty version and XWiki version to determine exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Tomcat

View all
CVE-2017-12617 HIGH POC
8.1 Oct 04

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT

CVE-2016-8735 CRITICAL POC
9.8 Apr 06

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8

CVE-2017-12615 HIGH POC
8.1 Sep 19

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this

CVE-2014-0050 HIGH POC
7.5 Apr 01

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,

CVE-2017-12616 HIGH
7.5 Sep 19

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or

CVE-2014-0227 MEDIUM
6.4 Feb 16

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and

CVE-2013-5528 MEDIUM POC
4.0 Oct 11

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all

CVE-2016-6808 CRITICAL POC
9.8 Apr 12

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2016-1240 HIGH POC
7.8 Oct 03

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia

CVE-2016-5425 HIGH POC
7.8 Oct 13

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu

CVE-2022-22965 CRITICAL POC
9.8 Apr 01

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b

CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

Share

CVE-2026-34151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy