What is CVE-2026-33229?

CVE-2026-33229 is a vulnerability in Org.xwiki.platform Xwiki-platform-legacy-oldcore, classified under Missing Authorization. Published 2026-04-08.

Is CVE-2026-33229 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Org.xwiki.platform Xwiki-platform-legacy-oldcore

CVE-2026-33229

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the V…

Vulnerability class: Broken Access Control

EPSS: 0.001 (21.5th percentile) — read the EPSS interpretation.

Affected products

Org.xwiki.platform Xwiki-platform-legacy-oldcore — versions >= 17.0.0-rc-1, < 17.4.8, >= 17.5.0-rc-1, < 17.10.1
Org.xwiki.platform Xwiki-platform-oldcore — versions >= 17.0.0-rc-1, < 17.4.8, >= 17.5.0-rc-1, < 17.10.1
Xwiki Xwiki-platform — versions >= 17.0.0-rc-1, < 17.4.8, >= 17.5.0-rc-1, < 17.10.1

Weakness classification (CWE)

CWE-862 — Missing Authorization

Public proof-of-concept exploits

azefzafyoussef/CVE-2026-33229

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9 (x_refsource_CONFIRM)
https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63 (x_refsource_MISC)
https://jira.xwiki.org/browse/XWIKI-23698 (x_refsource_MISC)
https://jira.xwiki.org/browse/XWIKI-23702 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33229?: CVE-2026-33229 is a vulnerability in Org.xwiki.platform Xwiki-platform-legacy-oldcore, classified under Missing Authorization. Published 2026-04-08.
Is CVE-2026-33229 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.