CVE-2026-40105
Reflected XSS in XWiki Revision Comparison Risks Admin Control
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | From 17.0.0 (inc) to 17.4.8 (exc) |
| xwiki | xwiki | From 17.5.0 (inc) to 17.10.1 (exc) |
| xwiki | xwiki | From 10.4 (inc) to 16.10.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The reflected cross-site scripting (XSS) vulnerability in the XWiki platform's page revision comparison feature can lead to the execution of arbitrary JavaScript code in the browser of users who view the affected page.
If an administrative user is exploited, this vulnerability can compromise the confidentiality, integrity, and availability of the entire XWiki instance.
Such a compromise could potentially lead to violations of compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate the protection of sensitive data and system integrity.
Specifically, unauthorized script execution could result in data breaches or unauthorized access, impacting personal data confidentiality and system security controls required by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the page revision comparison feature of the XWiki platform. Detection involves checking if the affected versions of XWiki are in use and testing the compare view between revisions of a page for script injection.
One way to detect the vulnerability is to attempt to inject JavaScript code into the URL parameters used in the changes view and observe if the script executes in the browser. For example, by manipulating the 'rev1' or 'rev2' parameters in the URL that compares page revisions.
Suggested commands or steps for detection include:
- Identify the URL pattern for the revision comparison view, typically something like: /xwiki/bin/view/Space/Page?viewer=changes&rev1=...&rev2=...
- Use curl or a browser to send requests with crafted parameters containing JavaScript payloads, for example: curl -v "http://<xwiki-host>/xwiki/bin/view/Space/Page?viewer=changes&rev1=<script>alert(1)</script>&rev2=1"
- Observe the response in a browser to see if the JavaScript executes, indicating the presence of the vulnerability.
- Alternatively, use web vulnerability scanners that support reflected XSS detection targeting the revision comparison URLs.
Note that the vulnerability affects specific versions of XWiki Platform (10.4-rc-1 through 16.10.15, 17.0.0-rc-1 through 17.4.7, and 17.5.0-rc-1 through 17.10.0). Checking the installed version can help quickly assess exposure.
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) issue in the XWiki Platform, specifically in the comparison view between revisions of a page. It allows an attacker to execute arbitrary JavaScript code in the browser of a user who views the affected page.
The vulnerability affects versions 10.4-rc-1 through 16.10.15, 17.0.0-rc-1 through 17.4.7, and 17.5.0-rc-1 through 17.10.0 of the XWiki Platform.
If the current user is an administrator, the attacker can potentially compromise the confidentiality, integrity, and availability of the entire XWiki instance.
Developers who cannot immediately update can apply a manual patch to the file templates/changesdoc.vm in the deployed WAR to mitigate the issue.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious JavaScript code in your browser when you view the comparison of page revisions in XWiki.
If you are an administrator, the impact is more severe as the attacker could compromise the entire XWiki instance, affecting its confidentiality, integrity, and availability.
This could lead to unauthorized access, data manipulation, or denial of service within your XWiki environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this reflected cross-site scripting (XSS) vulnerability in XWiki Platform versions 10.4-rc-1 through 16.10.15, 17.0.0-rc-1 through 17.4.7, and 17.5.0-rc-1 through 17.10.0, you should update your XWiki instance to a fixed version as soon as possible.
If immediate updating is not possible, developers can manually apply the provided patch to the file templates/changesdoc.vm in the deployed WAR to fix the vulnerability.