Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Impact
REST API endpoints like /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties list all available pages as part of the metadata for database list properties, which can exhaust available resources on large wikis.
Patches
This problem has been patched by applying the configured query limit also to the available values for database list properties in XWiki 16.10.16, 17.4.8 and 17.10.1.
Workarounds
We're not aware of any workarounds apart from upgrading the affected modules.
AnalysisAI
Denial of service via resource exhaustion in XWiki REST API endpoints that list database properties without respecting configured query limits, allowing remote attackers to enumerate all pages on large wiki installations and exhaust server resources. Affects XWiki Platform versions before 16.10.16, 17.4.8, and 17.10.1. Vendor-released patches are available; no public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
XWiki Platform's REST API endpoints for object properties (specifically database list type properties) return metadata containing complete page listings without enforcing the configured query limit parameter. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), where the /xwiki/rest/wikis/{wiki}/spaces/{space}/pages/{page}/objects/{object}/properties endpoints enumerate database values without pagination or result set constraints. The affected Maven packages (xwiki-platform-oldcore and xwiki-platform-legacy-oldcore) contain the query handling logic that failed to apply configured limits to these property value lookups. On installations with large numbers of pages, this causes unbounded resource consumption when the REST API generates metadata for database list properties.
RemediationAI
Upgrade XWiki Platform to patched versions: 16.10.16 or later for the 16.x line, 17.4.8 or later for the 17.4.x line, or 17.10.1 or later for the 17.10.x line. The fix applies the configured query limit to database list property enumeration in REST API responses. No workarounds are available other than upgrading affected modules. Reference the patch commit at https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7 and JIRA issue XWIKI-23550 for technical implementation details.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22817
GHSA-mrqg-xmgm-rc5g