What is the CVSS score of CVE-2026-48048?

CVE-2026-48048 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Which versions of XWiki Platform are affected by CVE-2026-48048?

XWiki Platform contains an information disclosure vulnerability in its LiveTableResults macro that allows unauthenticated remote attackers to extract password hash data through repeated requests,…. A patch is available.

XWiki Platform CVE-2026-48048

HIGH

Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)

2026-05-26 https://github.com/xwiki/xwiki-platform

GHSA-rh28-mqj4-8x59

Information Disclosure Atlassian

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 26, 2026 - 21:03 vuln.today

Analysis Generated

May 26, 2026 - 21:03 vuln.today

DescriptionNVD

Impact

XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user.

Patches

The check for password (and email properties) has been adjusted in XWiki 18.0.0RC1, 17.10.13, 17.4.9 and 16.10.17.

Workarounds

The patch can be applied manually to the wiki page XWiki.LiveTableResultsMacros.

Resources

https://jira.xwiki.org/browse/XWIKI-23875
https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa

AnalysisAI

Information disclosure in XWiki Platform's LiveTableResults macro allows unauthenticated remote attackers to reconstruct user password hashes and salts one bit at a time by sending approximately 768 crafted requests with manipulated class-per-property parameters. This is a bypass of the prior fix for GHSA-5cf8-vrr8-8hjm, which failed to account for an alternate parameter path. …

RemediationAI

24 hours: Identify all XWiki Platform instances and document current versions in your environment. 7 days: Obtain and apply available vendor security patch for CVE-2026-48048 per XWiki security advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-48048 vulnerability details – vuln.today

Back

XWiki Platform CVE-2026-48048

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

Resources

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code