XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
Privilege escalation from edit to script right through Live Data editingGHSA-45ph-gxxr-gwgw published
Jun 11, 2026 by tmortagneHigh -
Unauthenticated XAR Import via REST /wikis/{wikiName}GHSA-qrvh-r3f2-9h4r published
May 20, 2026 by tmortagneCritical -
Potential arbitrary file writing using path traversal from (subwiki) adminGHSA-vgwr-23fq-pr7g published
May 21, 2026 by michituxModerate -
Livetable results still allow reconstructing password hashes using 768 requestsGHSA-rh28-mqj4-8x59 published
May 21, 2026 by michituxHigh -
Remote code execution with script right through unprotected Velocity scripting APIGHSA-h259-74h5-4rh9 published
Apr 8, 2026 by michituxHigh -
Reflected Cross-Site Scripting (XSS) in page history compareGHSA-w4fj-87j5-f25c published
Apr 14, 2026 by michituxModerate -
REST APIs can list all pages/spaces, leading to unavailabilityGHSA-mrqg-xmgm-rc5g published
Apr 14, 2026 by michituxModerate -
Click-jacking through CSS injection in commentsGHSA-74rh-c5rh-88vg published
Feb 12, 2026 by surliModerate -
Reflected Cross-Site Scripting (XSS) in Error MessagesGHSA-wvqx-m5px-6cmp published
Jan 23, 2026 by michituxModerate -
XJetty allow accessing any application file through URLGHSA-53gx-j3p6-2rw9 published
Dec 1, 2025 by tmortagneHigh
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database