Path Traversal in Xwiki Xwiki-commons

CVE-2026-23734

XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki…

EPSS: 0.001 (16.2th percentile) — read the EPSS interpretation.

Affected products

Xwiki Xwiki-commons — versions >= 17.0.0-rc-1, < 17.4.9, >= 17.5.0, < 17.10.3, < 16.10.17

Weakness classification (CWE)

CWE-23 — Relative Path Traversal

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)