CVE-2026-33229

CRITICAL

XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-33229. PoCs published by azefzafyoussef.

AI-analyzed exploit summary The repository contains a functional proof-of-concept exploit for CVE-2026-33229, demonstrating an RCE vulnerability in XWiki Platform via Apache Velocity sandbox bypass. The PoC leverages pre-instantiated objects in the Velocity context to execute arbitrary commands without requiring Java Reflection.

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.

Exploits (1)

nomisec WORKING POC

by azefzafyoussef · poc

https://github.com/azefzafyoussef/CVE-2026-33229

View Code ZIP pw:eip

The repository contains a functional proof-of-concept exploit for CVE-2026-33229, demonstrating an RCE vulnerability in XWiki Platform via Apache Velocity sandbox bypass. The PoC leverages pre-instantiated objects in the Velocity context to execute arbitrary commands without requiring Java Reflection.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: XWiki Platform

Auth required

Prerequisites: Authenticated user with scripting permissions

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 11, 2026 Full analysis →

References (4)

Core 4

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9

X_Refsource_Misc x_refsource_misc

https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://jira.xwiki.org/browse/XWIKI-23698

X_Refsource_Misc x_refsource_misc

https://jira.xwiki.org/browse/XWIKI-23702

Scores

CVSS v3 9.8

EPSS 0.0009

EPSS Percentile 25.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-862

Status published

Products (9)

org.xwiki.platform/xwiki-platform-legacy-oldcore 17.0.0-rc-1 - 17.4.8Maven

org.xwiki.platform/xwiki-platform-legacy-oldcore >= 17.0.0-rc-1, < 17.4.8

org.xwiki.platform/xwiki-platform-legacy-oldcore >= 17.5.0-rc-1, < 17.10.1

org.xwiki.platform/xwiki-platform-oldcore 17.0.0-rc-1 - 17.4.8Maven

org.xwiki.platform/xwiki-platform-oldcore >= 17.0.0-rc-1, < 17.4.8

org.xwiki.platform/xwiki-platform-oldcore >= 17.5.0-rc-1, < 17.10.1

xwiki/xwiki 17.0.0 - 17.4.8

xwiki/xwiki-platform >= 17.0.0-rc-1, < 17.4.8

xwiki/xwiki-platform >= 17.5.0-rc-1, < 17.10.1

Published Apr 08, 2026

Tracked Since Apr 08, 2026