XSS in Xwiki Xwiki-platform

CVE-2026-40105

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scri…

EPSS: 0.007 (73.2th percentile) — read the EPSS interpretation.

Affected products

Xwiki Xwiki-platform — versions >= 10.4-rc-1, < 16.10.16, >= 17.0.0-rc-1, < 17.4.8, >= 17.5.0-rc-1, < 17.10.1

Weakness classification (CWE)

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c (x_refsource_CONFIRM)
https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c (x_refsource_MISC)
https://jira.xwiki.org/browse/XWIKI-23472 (x_refsource_MISC)