Search for packages
| purl | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.10.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-4tnv-dtd4-ubc5 | XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API |
CVE-2026-33229
GHSA-h259-74h5-4rh9 |
| VCID-zha9-bprb-6ucp | XWiki's REST APIs can list all pages/spaces, leading to unavailability ### Impact REST API endpoints like `/xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties` list all available pages as part of the metadata for database list properties, which can exhaust available resources on large wikis. ### Patches This problem has been patched by applying the configured query limit also to the available values for database list properties in XWiki 16.10.16, 17.4.8 and 17.10.1. ### Workarounds We're not aware of any workarounds apart from upgrading the affected modules. |
CVE-2026-40104
GHSA-mrqg-xmgm-rc5g |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T07:45:59.018619+00:00 | GHSA Importer | Fixing | VCID-zha9-bprb-6ucp | https://github.com/advisories/GHSA-mrqg-xmgm-rc5g | 38.4.0 |
| 2026-04-15T12:48:25.116538+00:00 | GithubOSV Importer | Fixing | VCID-zha9-bprb-6ucp | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mrqg-xmgm-rc5g/GHSA-mrqg-xmgm-rc5g.json | 38.4.0 |
| 2026-04-09T22:49:48.468023+00:00 | GithubOSV Importer | Fixing | VCID-4tnv-dtd4-ubc5 | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h259-74h5-4rh9/GHSA-h259-74h5-4rh9.json | 38.1.0 |
| 2026-04-08T19:02:30.629742+00:00 | GHSA Importer | Fixing | VCID-4tnv-dtd4-ubc5 | https://github.com/advisories/GHSA-h259-74h5-4rh9 | 38.1.0 |