CVE-2026-33137
CRITICALXWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
Title source: cnaDescription
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r
X_Refsource_Misc x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f
X_Refsource_Misc x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-23953
Scores
CVSS v4
9.3
EPSS
0.0004
EPSS Percentile
11.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (4)
xwiki/xwiki-platform
< 16.10.17
xwiki/xwiki-platform
>= 17.0.0-rc-1, < 17.4.9
xwiki/xwiki-platform
>= 17.5.0, < 17.10.3
xwiki/xwiki-platform
>= 18.0.0-rc-1, < 18.1.0-rc-1
Published
May 20, 2026
Tracked Since
May 21, 2026