Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.5.0-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.5.0-rc-1
Next non-vulnerable version 17.10.1
Latest non-vulnerable version 17.10.1
Risk 4.4
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-4tnv-dtd4-ubc5
Aliases:
CVE-2026-33229
GHSA-h259-74h5-4rh9
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
17.10.1
Affected by 0 other vulnerabilities.
VCID-zha9-bprb-6ucp
Aliases:
CVE-2026-40104
GHSA-mrqg-xmgm-rc5g
XWiki's REST APIs can list all pages/spaces, leading to unavailability ### Impact REST API endpoints like `/xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties` list all available pages as part of the metadata for database list properties, which can exhaust available resources on large wikis. ### Patches This problem has been patched by applying the configured query limit also to the available values for database list properties in XWiki 16.10.16, 17.4.8 and 17.10.1. ### Workarounds We're not aware of any workarounds apart from upgrading the affected modules.
17.10.1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T07:45:59.015133+00:00 GHSA Importer Affected by VCID-zha9-bprb-6ucp https://github.com/advisories/GHSA-mrqg-xmgm-rc5g 38.4.0
2026-04-08T19:02:30.624066+00:00 GHSA Importer Affected by VCID-4tnv-dtd4-ubc5 https://github.com/advisories/GHSA-h259-74h5-4rh9 38.1.0