Skip to main content

CVE-2026-40105

| EUVD-2026-22819 MEDIUM
Basic XSS (CWE-80)
2026-04-14 https://github.com/xwiki/xwiki-platform GHSA-w4fj-87j5-f25c
XSS
6.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
PoC Detected
Apr 23, 2026 - 13:52 vuln.today
Public exploit code
Analysis Generated
Apr 15, 2026 - 01:12 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:46 euvd
EUVD-2026-22819
Analysis Generated
Apr 14, 2026 - 22:46 vuln.today
Patch released
Apr 14, 2026 - 22:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 22:33 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Impact

A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance.

Patches

The problem has been patched by properly escaping the URL parameters.

Workarounds

The patch can be applied manually to templates/changesdoc.vm in the deployed WAR.

Attribution

XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.

AnalysisAI

Reflected cross-site scripting (XSS) in XWiki's compare view allows unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious code through unescaped URL parameters in the page revision comparison feature. When the victim is an administrator, successful exploitation compromises the confidentiality, integrity, and availability of the entire XWiki instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted URL with XSS payload
Delivery
Browser loads compare view page
Exploit
Unescaped URL parameter reflected in HTML
Execution
JavaScript executes in victim's session
Impact
Admin privileges escalate impact to full instance
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment Without a CVSS vector or EPSS score provided, risk assessment relies on structural analysis. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to an XWiki instance's compare view endpoint with malicious JavaScript injected into a URL parameter (e.g., a page name or revision identifier). The attacker sends this link to an XWiki administrator via email or embeds it in a forum post. …
Remediation Apply the vendor patch by updating org.xwiki.platform:xwiki-platform-web-templates to a version released after the fix commit (3c8a2ec985641367015c2db937574fcd360c788c). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40105 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy