CVE-2026-24128
Reflected XSS in XWiki Platform Enables Privilege Escalation
Publication date: 2026-01-24
Last updated on: 2026-02-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | 17.0.0 |
| xwiki | xwiki-rendering | 17.5.0 |
| xwiki | xwiki | 7.0 |
| xwiki | xwiki | 7.0 |
| xwiki | xwiki | From 17.0.1 (inc) to 17.4.5 (exc) |
| xwiki | xwiki | From 17.6.0 (inc) to 17.8.0 (exc) |
| xwiki | xwiki | From 7.0.1 (inc) to 16.10.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24128 is a reflected Cross-Site Scripting (XSS) vulnerability in the XWiki platform, specifically in error messages. It occurs because special characters in extension IDs are not properly escaped in log messages, allowing an attacker to craft a malicious URL that, when visited by a victim, executes arbitrary scripts with the victim's privileges. If the victim has administrative or programming rights, the attacker can gain full control over the XWiki installation. The vulnerability arises from improper sanitization of input reflected in error messages, enabling script injection and execution in the victim's browser context. [2, 5]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary actions within the XWiki platform using the victim's privileges by tricking the victim into visiting a malicious URL. If the victim has elevated privileges such as administrative or programming rights, the attacker can leverage these to gain full access and control over the XWiki installation. This can lead to unauthorized access, modification, or disruption of the platform. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your XWiki Platform installation is running a vulnerable version (7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, or 17.5.0-rc-1 through 17.7.0). You can verify the version of XWiki installed. Additionally, detection involves testing for reflected XSS by crafting URLs that include script tags or special characters and observing if these are improperly escaped in error messages or logs. There are no specific commands provided in the resources, but you can use tools like curl or a browser to send crafted URLs to the XWiki instance and observe the response for script execution or reflected input. For example, using curl to send a request with a script payload in the URL and checking the response for unescaped script tags may help detect the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading your XWiki Platform to a patched version: 16.10.12, 17.4.5, or 17.8.0-rc-1 or later. If upgrading is not immediately possible, you can manually apply the patch by modifying a single line in the `templates/logging_macros.vm` file to properly escape extension IDs in log messages, as described in the fix. This manual patch does not require a system restart. Applying this fix prevents the reflected XSS vulnerability by ensuring special characters are properly escaped in error messages. [2, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this reflected Cross-site Scripting (XSS) vulnerability in XWiki Platform directly affects compliance with common standards and regulations such as GDPR or HIPAA. While the vulnerability allows attackers to execute arbitrary actions with the victim's privileges, potentially leading to full access if the victim has administrative rights, there is no explicit mention of impacts on data protection or regulatory compliance in the provided resources.