Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-zha9-bprb-6ucp
Summary
XWiki's REST APIs can list all pages/spaces, leading to unavailability
### Impact
REST API endpoints like `/xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties` list all available pages as part of the metadata for database list properties, which can exhaust available resources on large wikis.

### Patches
This problem has been patched by applying the configured query limit also to the available values for database list properties in XWiki 16.10.16, 17.4.8 and 17.10.1.

### Workarounds
We're not aware of any workarounds apart from upgrading the affected modules.
Aliases
0
alias CVE-2026-40104
1
alias GHSA-mrqg-xmgm-rc5g
Fixed_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@16.10.16
purl pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@16.10.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@16.10.16
1
url pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.4.8
purl pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.4.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.4.8
2
url pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.10.1
purl pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.10.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.10.1
3
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.16
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.16
4
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.4.8
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.4.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.4.8
5
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.10.1
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.10.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.10.1
Affected_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@1.8-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@1.8-rc-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-zha9-bprb-6ucp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@1.8-rc-1
1
url pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.0.0-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.0.0-rc-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m9j-nt38-x3hq
1
vulnerability VCID-4tnv-dtd4-ubc5
2
vulnerability VCID-p59s-q94b-9kb6
3
vulnerability VCID-zha9-bprb-6ucp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.0.0-rc-1
2
url pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.5.0-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.5.0-rc-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tnv-dtd4-ubc5
1
vulnerability VCID-zha9-bprb-6ucp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore@17.5.0-rc-1
3
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@1.8-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@1.8-rc-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-zha9-bprb-6ucp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@1.8-rc-1
4
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0-rc-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m9j-nt38-x3hq
1
vulnerability VCID-4n2t-crsf-87gr
2
vulnerability VCID-4tnv-dtd4-ubc5
3
vulnerability VCID-p59s-q94b-9kb6
4
vulnerability VCID-zha9-bprb-6ucp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0-rc-1
5
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.5.0-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.5.0-rc-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tnv-dtd4-ubc5
1
vulnerability VCID-zha9-bprb-6ucp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.5.0-rc-1
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40104
reference_id
reference_type
scores
0
value 0.00037
scoring_system epss
scoring_elements 0.10787
published_at 2026-04-16T12:55:00Z
1
value 0.00038
scoring_system epss
scoring_elements 0.11138
published_at 2026-04-18T12:55:00Z
2
value 0.00049
scoring_system epss
scoring_elements 0.1524
published_at 2026-04-21T12:55:00Z
3
value 0.00076
scoring_system epss
scoring_elements 0.22601
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40104
1
reference_url https://github.com/xwiki/xwiki-platform
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/xwiki/xwiki-platform
2
reference_url https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:08:13Z/
url https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7
3
reference_url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:08:13Z/
url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g
4
reference_url https://jira.xwiki.org/browse/XWIKI-23550
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:08:13Z/
url https://jira.xwiki.org/browse/XWIKI-23550
5
reference_url https://github.com/advisories/GHSA-mrqg-xmgm-rc5g
reference_id GHSA-mrqg-xmgm-rc5g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mrqg-xmgm-rc5g
Weaknesses
0
cwe_id 770
name Allocation of Resources Without Limits or Throttling
description The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Exploits
Severity_range_score4.0 - 8.2
Exploitability0.5
Weighted_severity7.4
Risk_score3.7
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-zha9-bprb-6ucp