CVE-2024-31982

CRITICAL EXPLOITED NUCLEI

XWiki Platform <4.10.20,15.5.4,15.10-rc-1 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-31982 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including bigb0x, NanoWraith, LibreCoder951. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2024-31982, a remote code execution vulnerability in XWiki Platform versions greater than 14.10.20. The exploit sends a crafted HTTP request to trigger Groovy code execution via the DatabaseSearch endpoint.

Description

XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.

Exploits (6)

nomisec WORKING POC 10 stars
by bigb0x · remote
https://github.com/bigb0x/CVE-2024-31982

This repository contains a functional Python script that exploits CVE-2024-31982, a remote code execution vulnerability in XWiki Platform versions greater than 14.10.20. The exploit sends a crafted HTTP request to trigger Groovy code execution via the DatabaseSearch endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: XWiki Platform > 14.10.20
No auth needed
Prerequisites: Network access to the target XWiki instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by NanoWraith · poc
https://github.com/NanoWraith/CVE-2024-31982

This repository contains a functional Python script that exploits CVE-2024-31982, a Java SSTI vulnerability in XWiki leading to RCE. The exploit sends a crafted HTTP request with a Groovy payload to trigger remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: XWiki
No auth needed
Prerequisites: Target XWiki instance accessible via HTTP · Network connectivity to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by LibreCoder951 · poc
https://gitlab.com/LibreCoder951/cve-2024-31982-reverse-shell

This repository contains a functional proof-of-concept exploit for CVE-2024-31982, which targets an unauthenticated remote code execution vulnerability in XWiki. The exploit crafts a malicious payload using Groovy script injection via the SolrSearch endpoint to establish a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XWiki (multiple versions)
No auth needed
Prerequisites: Vulnerable XWiki instance · Attacker-controlled listener (e.g., netcat) · .NET 9.0 runtime
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by raishin1 · remote-auth
https://github.com/raishin1/CVE-2024-31982

This repository contains a functional exploit for CVE-2024-31982, targeting XWiki. The exploit leverages a Groovy script injection vulnerability to achieve remote code execution (RCE) by crafting a malicious URL with an async Groovy payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XWiki (version not specified)
Auth required
Prerequisites: Valid credentials for XWiki · Network access to the target XWiki instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by th3gokul · remote
https://github.com/th3gokul/CVE-2024-31982

The repository contains a functional exploit tool for CVE-2024-31982, which targets a vulnerability in XWiki. The exploit sends a crafted request to trigger a Groovy script injection, demonstrating the vulnerability by printing a specific string in the response title.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XWiki
No auth needed
Prerequisites: Network access to the target XWiki instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/k3lpi3b4nsh33/CVE-2024-31982

This repository contains a functional Python script that exploits CVE-2024-31982, a Java SSTI vulnerability in XWiki leading to RCE. The exploit sends a crafted HTTP GET request with a Groovy payload to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: XWiki
No auth needed
Prerequisites: Target URL list in 'new_url.txt'
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

XWiki < 4.10.20 - Remote code execution
CRITICALVERIFIEDby ritikchaddha
Shodan: html:"data-xwiki-reference"
FOFA: body="data-xwiki-reference"

References (8)

Core 8
Core References
Exploit, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-21472

Scores

CVSS v3 10.0
EPSS 0.9425
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2024-06-26
CWE
CWE-95 CWE-94
Status published
Products (2)
org.xwiki.platform/xwiki-platform-search-ui 2.4-milestone-1 - 14.10.20Maven
xwiki/xwiki 2.4 - 14.10.20
Published Apr 10, 2024
Tracked Since Feb 18, 2026