CVE-2026-24128
Unknown Unknown - Not Provided
Reflected XSS in XWiki Platform Enables Privilege Escalation

Publication date: 2026-01-24

Last updated on: 2026-02-12

Assigner: GitHub, Inc.

Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24128
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
xwiki xwiki 17.0.0
xwiki xwiki-rendering 17.5.0
xwiki xwiki 7.0
xwiki xwiki 7.0
xwiki xwiki From 17.0.1 (inc) to 17.4.5 (exc)
xwiki xwiki From 17.6.0 (inc) to 17.8.0 (exc)
xwiki xwiki From 7.0.1 (inc) to 16.10.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24128 is a reflected Cross-Site Scripting (XSS) vulnerability in the XWiki platform, specifically in error messages. It occurs because special characters in extension IDs are not properly escaped in log messages, allowing an attacker to craft a malicious URL that, when visited by a victim, executes arbitrary scripts with the victim's privileges. If the victim has administrative or programming rights, the attacker can gain full control over the XWiki installation. The vulnerability arises from improper sanitization of input reflected in error messages, enabling script injection and execution in the victim's browser context. [2, 5]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary actions within the XWiki platform using the victim's privileges by tricking the victim into visiting a malicious URL. If the victim has elevated privileges such as administrative or programming rights, the attacker can leverage these to gain full access and control over the XWiki installation. This can lead to unauthorized access, modification, or disruption of the platform. [2]

Detection Guidance

This vulnerability can be detected by checking if your XWiki Platform installation is running a vulnerable version (7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, or 17.5.0-rc-1 through 17.7.0). You can verify the version of XWiki installed. Additionally, detection involves testing for reflected XSS by crafting URLs that include script tags or special characters and observing if these are improperly escaped in error messages or logs. There are no specific commands provided in the resources, but you can use tools like curl or a browser to send crafted URLs to the XWiki instance and observe the response for script execution or reflected input. For example, using curl to send a request with a script payload in the URL and checking the response for unescaped script tags may help detect the vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading your XWiki Platform to a patched version: 16.10.12, 17.4.5, or 17.8.0-rc-1 or later. If upgrading is not immediately possible, you can manually apply the patch by modifying a single line in the `templates/logging_macros.vm` file to properly escape extension IDs in log messages, as described in the fix. This manual patch does not require a system restart. Applying this fix prevents the reflected XSS vulnerability by ensuring special characters are properly escaped in error messages. [2, 5]

Compliance Impact

The provided information does not specify how this reflected Cross-site Scripting (XSS) vulnerability in XWiki Platform directly affects compliance with common standards and regulations such as GDPR or HIPAA. While the vulnerability allows attackers to execute arbitrary actions with the victim's privileges, potentially leading to full access if the victim has administrative rights, there is no explicit mention of impacts on data protection or regulatory compliance in the provided resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart