Skip to main content

XWiki Platform CVE-2026-48047

MEDIUM
Path Traversal: '../filedir' (CWE-24)
2026-05-26 https://github.com/xwiki/xwiki-platform GHSA-vgwr-23fq-pr7g
Atlassian Path Traversal
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 12:10 vuln.today
Analysis Generated
Jun 08, 2026 - 12:10 vuln.today

DescriptionCVE.org

Impact

A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requires that the attacker already has admin access to at least a subwiki to be able to install a malicious extension. Further, the attacker needs to publish a malicious extension in an extension repository that is configured in the instance.

Patches

This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, and 18.0.0RC1.

Workarounds

XWiki is not aware of any workarounds except for being careful whom developers grant script and admin rights to.

Resources

  • https://jira.xwiki.org/browse/XWIKI-23902
  • https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c

AnalysisAI

Path traversal in XWiki Platform's WebJars API enables a subwiki admin who can publish and install a malicious WebJar extension to write arbitrary files anywhere on the server filesystem. The affected Maven component xwiki-platform-webjars-api fails to validate that JAR entry paths extracted during extension installation remain within the intended export directory, allowing overwrite of configuration files or potential superadmin credential manipulation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains subwiki admin credentials
Delivery
Publishes malicious WebJar with path traversal entries to configured extension repository
Exploit
Extension installed on wiki instance
Execution
FilesystemResourceReferenceCopier extracts JAR entries without boundary validation
Persist
Arbitrary files written outside export directory
Impact
Configuration files overwritten, superadmin credentials reset
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires two concrete preconditions: (1) the attacker must hold admin rights to at least one subwiki within the target XWiki instance - unauthenticated or low-privilege users cannot trigger this path; (2) the attacker must be able to publish a malicious WebJar extension to an extension repository that is actively configured and trusted by the XWiki instance, and that extension must be installed on the wiki (either by the attacker themselves if they have install rights, or by a higher-privileged administrator). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector is available for this CVE, preventing quantitative scoring comparison. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds subwiki admin access publishes a crafted WebJar extension to a repository configured in the target XWiki instance; the JAR contains entries with path traversal sequences such as `../../webapps/xwiki/WEB-INF/xwiki.cfg`. Once the extension is installed - either by the attacker directly or by persuading another administrator - `FilesystemResourceReferenceCopier` extracts the malicious entries outside the export directory, overwriting XWiki configuration files and enabling the attacker to reset the superadmin password and achieve full instance compromise. …
Remediation Upgrade XWiki Platform to a patched release: 16.10.17 for the 16.x LTS branch, 17.4.9 for the 17.4.x branch, 17.10.3 for the 17.10.x branch, or 18.0.0RC1 and later. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12225 HIGH
8.7 Jun 16

Two-factor authentication bypass in syracom AG Secure Login (2FA) plugin 3.4.0.x for Atlassian Jira, Confluence, and Bit
CVE-2025-27511 HIGH
7.2 Jun 11

Remote code execution in GeoServer (versions prior to 2.27.0) with the DB2 extension installed allows authenticated admi
CVE-2025-52465 HIGH
7.2 Jun 12

Arbitrary file write in GeoServer's Master Password Dump web page allows an authenticated administrator to write attacke
CVE-2025-58175 MEDIUM
6.5 Jun 12

Server-Side Request Forgery in GeoServer's XML entity resolution allows unauthenticated remote attackers to cause the se

Share

CVE-2026-48047 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy