CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56158 – XWiki allows SQL injection in query endpoint of REST API with Oracle
https://notcve.org/view.php?id=CVE-2024-56158
12 Jun 2025 — XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-prwh-7838-xf82 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 1%CPEs: 2EXPL: 0CVE-2025-48063 – XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right
https://notcve.org/view.php?id=CVE-2025-48063
21 May 2025 — XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means t... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp • CWE-285: Improper Authorization •
CVSS: 8.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-46557 – Any user with view access to the XWiki space can change the authenticator
https://notcve.org/view.php?id=CVE-2025-46557
30 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.0-rc-1 to before 16.4.6, and from 16.5.0-rc-1 to before 16.10.0-rc-1, a user who can access pages located in the XWiki space (by default, anyone) can access the page XWiki.Authentication.Administration and (unless an authenticator is set in xwiki.cfg) switch to another installed authenticator. Note that, by default, there is only one authenticator available (Standard XWiki Authenticator). So, if no authentica... • https://github.com/xwiki/xwiki-platform/commit/5efc31cea1501c9a5cb593566fea8b558ff32a2a • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 5%CPEs: 3EXPL: 0CVE-2025-32969 – org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
https://notcve.org/view.php?id=CVE-2025-32969
23 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used... • https://github.com/xwiki/xwiki-platform/commit/5c11a874bd24a581f534d283186e209bbccd8113 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32968 – org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API
https://notcve.org/view.php?id=CVE-2025-32968
23 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has b... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9jj-75mx-wjcx • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 3EXPL: 0CVE-2025-29926 – The WikiManager REST API allows any user to create wikis
https://notcve.org/view.php?id=CVE-2025-29926
19 Mar 2025 — XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module. • https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99 • CWE-285: Improper Authorization •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29925 – XWiki allows unregistered users to access private pages information through REST endpoint
https://notcve.org/view.php?id=CVE-2025-29925
19 Mar 2025 — XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpo... • https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29924 – XWiki uses the wrong wiki reference in AuthorizationManager
https://notcve.org/view.php?id=CVE-2025-29924
19 Mar 2025 — XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by ... • https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e • CWE-269: Improper Privilege Management •