CVE-2026-40105

| EUVD-2026-22819 MEDIUM
2026-04-14 https://github.com/xwiki/xwiki-platform GHSA-w4fj-87j5-f25c
XSS
6.5
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 15, 2026 - 01:12 vuln.today

DescriptionNVD

Impact

A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance.

Patches

The problem has been patched by properly escaping the URL parameters.

Workarounds

The patch can be applied manually to templates/changesdoc.vm in the deployed WAR.

Attribution

XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.

AnalysisAI

Reflected cross-site scripting (XSS) in XWiki's compare view allows unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious code through unescaped URL parameters in the page revision comparison feature. When the victim is an administrator, successful exploitation compromises the confidentiality, integrity, and availability of the entire XWiki instance. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40105 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy