Vulnerability Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 17.0.0, < 17.4.8 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd1Patch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9PatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-23698ExploitVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-23702ExploitVendor Advisory
FAQ
What is CVE-2026-33229?
CVE-2026-33229 is a vulnerability with a CVSS score of 9.8 (CRITICAL). XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script ...
How severe is CVE-2026-33229?
CVE-2026-33229 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33229?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.