Resource exhaustion in Xwiki Org.xwiki.platform:xwiki-platform-legacy-oldcore

CVE-2026-40104

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xw…

EPSS: 0.001 (21.9th percentile) — read the EPSS interpretation.

Affected products

Xwiki Org.xwiki.platform:xwiki-platform-legacy-oldcore — versions >= 1.8-rc-1, < 16.10.16, >= 17.0.0-rc-1, < 17.4.8, >= 17.5.0-rc-1, < 17.10.1
Xwiki Org.xwiki.platform:xwiki-platform-oldcore — versions >= 1.8-rc-1, < 16.10.16, >= 17.0.0-rc-1, < 17.4.8, >= 17.5.0-rc-1, < 17.10.1

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g (x_refsource_CONFIRM)
https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7 (x_refsource_MISC)
https://jira.xwiki.org/browse/XWIKI-23550 (x_refsource_MISC)