CVE-2026-40105
Published:April 15, 2026
Updated:April 23, 2026
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.
Affected Packages
https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-16.10.0 <xwiki-platform-16.10.16Fix Suggestion:
Update to version xwiki-platform-16.10.16https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-17.4.0 <xwiki-platform-17.4.8Fix Suggestion:
Update to version xwiki-platform-17.4.8https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) =xwiki-platform-17.10.0 <xwiki-platform-17.10.1Fix Suggestion:
Update to version xwiki-platform-17.10.1org.xwiki.platform:xwiki-platform-web-templates (JAVA):
Affected version(s) >=17.5.0 <17.10.1Fix Suggestion:
Update to version 17.10.1org.xwiki.platform:xwiki-platform-web-templates (JAVA):
Affected version(s) >=13.4-rc-1 <16.10.16Fix Suggestion:
Update to version 16.10.16org.xwiki.platform:xwiki-platform-web-templates (JAVA):
Affected version(s) >=17.0.0-rc-1 <17.4.8Fix Suggestion:
Update to version 17.4.8Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
EPSS
Base Score:
0.04
