CVE-2026-23734
Deferred Deferred - Pending Action
Path Traversal in XWiki Platform via SSX/JSX Endpoints

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-23734
EUVD
EUVD-2026-31152
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
xwiki xwiki_platform to 18.1.0-rc-1 (exc)
xwiki xwiki_platform 17.10.3
xwiki xwiki_platform 17.4.9
xwiki xwiki_platform 16.10.17
xwiki xwiki_commons to 18.1.0-rc-1 (exc)
xwiki xwiki_commons 17.10.3
xwiki xwiki_commons 17.4.9
xwiki xwiki_commons 16.10.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23734 is a critical path traversal vulnerability in the XWiki Platform affecting the ssx and jsx endpoints. It allows attackers to read sensitive configuration files by exploiting the resources parameter with leading slashes. This enables unauthorized access to files such as /WEB-INF/xwiki.cfg via specially crafted URLs.

The vulnerability arises from improper input handling that permits directory traversal outside the intended restricted paths, classified as CWE-23 (Relative Path Traversal). It affects versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 and has been patched in these versions.

Compliance Impact

The vulnerability allows unauthorized access to sensitive configuration files through path traversal, which can lead to exposure of confidential information.

Such unauthorized data exposure can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Failure to patch this vulnerability could result in breaches of confidentiality, potentially leading to regulatory penalties and loss of trust.

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive configuration files, which may contain critical information about the system setup and credentials.

Because the vulnerability requires no privileges or user interaction to exploit, attackers can remotely access confidential data, potentially compromising confidentiality, integrity, and availability of the system.

Detection Guidance

This vulnerability can be detected by attempting to access sensitive configuration files through the vulnerable endpoints using crafted URLs that exploit path traversal via the resources parameter.

For example, you can test the vulnerability by sending HTTP requests to the ssx or jsx endpoints with a URL similar to:

  • http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false

If the server responds with the contents of the configuration file or any sensitive file outside the intended directory, the system is vulnerable.

You can use command-line tools like curl or wget to perform this test, for example:

  • curl -i "http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false"
  • wget -qO- "http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false"
Mitigation Strategies

The primary and immediate mitigation step is to upgrade XWiki Platform to a patched version where this vulnerability is fixed.

  • Upgrade to one of the fixed versions: 18.1.0-rc-1, 17.10.3, 17.4.9, or 16.10.17.

There are no known workarounds other than upgrading, so applying the patch is critical to prevent exploitation.

The patch includes improved path normalization and handling of leading slashes in resource paths to prevent directory traversal attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23734. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart