GHSA-VGWR-23FQ-PR7G
Vulnerability from github – Published: 2026-05-26 19:33 – Updated: 2026-05-26 19:33
VLAI
Summary
XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin
Details
Impact
A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requires that the attacker already has admin access to at least a subwiki to be able to install a malicious extension. Further, the attacker needs to publish a malicious extension in an extension repository that is configured in the instance.
Patches
This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, and 18.0.0RC1.
Workarounds
XWiki is not aware of any workarounds except for being careful whom developers grant script and admin rights to.
Resources
- https://jira.xwiki.org/browse/XWIKI-23902
- https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c
Severity
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-webjars-api"
},
"ranges": [
{
"events": [
{
"introduced": "9.6-rc-1"
},
{
"fixed": "16.10.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-webjars-api"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0-rc-1"
},
{
"fixed": "17.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-webjars-api"
},
"ranges": [
{
"events": [
{
"introduced": "17.5.0-rc-1"
},
{
"fixed": "17.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48047"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-26T19:33:44Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nA potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requires that the attacker already has admin access to at least a subwiki to be able to install a malicious extension. Further, the attacker needs to publish a malicious extension in an extension repository that is configured in the instance.\n\n### Patches\nThis vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, and 18.0.0RC1.\n\n### Workarounds\nXWiki is not aware of any workarounds except for being careful whom developers grant script and admin rights to.\n\n### Resources\n* https://jira.xwiki.org/browse/XWIKI-23902\n* https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c",
"id": "GHSA-vgwr-23fq-pr7g",
"modified": "2026-05-26T19:33:44Z",
"published": "2026-05-26T19:33:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vgwr-23fq-pr7g"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-23902"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…