CVE-2026-24128 — MEDIUM (6.1)

Q: How severe is CVE-2026-24128?

CVE-2026-24128 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-24128?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki, Xwiki Xwiki-Rendering.

Vulnerability Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Xwiki	Xwiki	>= 7.0.1, < 16.10.12
Xwiki	Xwiki-Rendering	17.5.0

Related Weaknesses (CWE)

CWE-79 CWE-80

References

https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8bPatch
https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12ProductRelease Notes
https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5ProductRelease Notes
https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1ProductRelease Notes
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmpPatchVendor Advisory
https://jira.xwiki.org/browse/XWIKI-23462Vendor Advisory

FAQ

What is CVE-2026-24128?

CVE-2026-24128 is a vulnerability with a CVSS score of 6.1 (MEDIUM). XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through ...

How severe is CVE-2026-24128?

CVE-2026-24128 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-24128?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki, Xwiki Xwiki-Rendering.