CVE-2026-33137

CRITICAL

XWiki Platform REST /wikis/{wikiName} - Unauthenticated XAR Import

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-33137. PoCs published by portbuster1337.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-33137, an unauthenticated XAR import vulnerability in XWiki Platform. The PoC demonstrates the ability to create or update arbitrary documents and achieve RCE via crafted XAR files.

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

Exploits (1)

nomisec WORKING POC
by portbuster1337 · poc
https://github.com/portbuster1337/CVE-2026-33137

This repository contains a functional exploit for CVE-2026-33137, an unauthenticated XAR import vulnerability in XWiki Platform. The PoC demonstrates the ability to create or update arbitrary documents and achieve RCE via crafted XAR files.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XWiki Platform (versions prior to 16.10.17, 17.4.9, 17.10.3, 18.0.1, 18.1.0-rc-1)
No auth needed
Prerequisites: Target must be running a vulnerable version of XWiki Platform · Scripting rights must be enabled for RCE
mistral-large-3 · analyzed May 26, 2026 Full analysis →

Scores

CVSS v4 9.3
EPSS 0.0059
EPSS Percentile 44.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-862
Status published
Products (9)
org.xwiki.platform/xwiki-platform-rest-server 15.10.6 - 16.10.17Maven
org.xwiki.platform/xwiki-platform-rest-server 17.0.0-rc-1 - 17.4.9Maven
org.xwiki.platform/xwiki-platform-rest-server 17.5.0 - 17.10.3Maven
org.xwiki.platform/xwiki-platform-rest-server 18.0.0-rc-1 - 18.1.0-rc-1Maven
xwiki/xwiki-platform < 16.10.17
xwiki/xwiki-platform >= 15.10.6, < 16.10.17
xwiki/xwiki-platform >= 17.0.0-rc-1, < 17.4.9
xwiki/xwiki-platform >= 17.5.0, < 17.10.3
xwiki/xwiki-platform >= 18.0.0-rc-1, < 18.1.0-rc-1
Published May 20, 2026
Tracked Since May 21, 2026