CVE-2019-10089

MEDIUM

Apache JSPWiki < 2.11.0.M5 - Cross-Site Scripting via WYSIWYG Editor Plugin Link

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10089. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains the Apache JSPWiki source code and integration tests, but no explicit exploit code for CVE-2019-10089. The README provides installation and configuration details for JSPWiki, while the Java files are integration tests for functionality like anonymous viewing and login.

Description

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

Exploits (1)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/apache__jspwiki_CVE-2019-10089_2-11-0-M4

View Code ZIP pw:eip

This repository contains the Apache JSPWiki source code and integration tests, but no explicit exploit code for CVE-2019-10089. The README provides installation and configuration details for JSPWiki, while the Java files are integration tests for functionality like anonymous viewing and login.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Apache JSPWiki 2.11.0-M4

No auth needed

Prerequisites: Access to JSPWiki installation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089

Scores

CVSS v3 6.1

EPSS 0.0437

EPSS Percentile 89.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

apache/jspwiki 2.11.0 m1 (12 CPE variants)

apache/jspwiki < 2.10.5

org.apache.jspwiki/jspwiki-war 2.9.0 - 2.11.0.M5Maven

Published Sep 23, 2019

Tracked Since Feb 18, 2026