CVE-2026-40104

| EUVD-2026-22817 MEDIUM
2026-04-14 https://github.com/xwiki/xwiki-platform GHSA-mrqg-xmgm-rc5g
Denial Of Service
6.9
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 15, 2026 - 01:13 vuln.today

DescriptionNVD

Impact

REST API endpoints like /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties list all available pages as part of the metadata for database list properties, which can exhaust available resources on large wikis.

Patches

This problem has been patched by applying the configured query limit also to the available values for database list properties in XWiki 16.10.16, 17.4.8 and 17.10.1.

Workarounds

We're not aware of any workarounds apart from upgrading the affected modules.

AnalysisAI

Denial of service via resource exhaustion in XWiki REST API endpoints that list database properties without respecting configured query limits, allowing remote attackers to enumerate all pages on large wiki installations and exhaust server resources. Affects XWiki Platform versions before 16.10.16, 17.4.8, and 17.10.1. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40104 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy