XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
Configuration files can be accessed through jsx and sx endpointsGHSA-m63c-3rmg-r2cf published
Sep 3, 2025 by tmortagneCritical -
Configuration files can be accessed through the webjars APIGHSA-qww7-89xh-x7m7 published
Sep 3, 2025 by tmortagneCritical -
PDF export jobs store sensitive cookies unencrypted in job statusesGHSA-9m7c-m33f-3429 published
Aug 28, 2025 by mfloreaModerate -
Reflected XSS in two templatesGHSA-m9x4-w7p9-mxhx published
Aug 5, 2025 by michituxModerate -
SQL injection through getdeleteddocuments.vm template sort parameterGHSA-vr59-gm53-v7cq published
Jul 24, 2025 by tmortagneCritical -
SQL injection through XWiki#searchDocuments APIGHSA-p9qm-p942-q3w5 published
Jul 25, 2025 by tmortagneHigh -
Passwords and emails stored in fields not named password/email exposed in xml.vmGHSA-57q2-6cp4-9mq3 published
Aug 5, 2025 by michituxHigh -
Any user with edit right can access all user's password hashes or other accessible password properties through Database List PropertiesGHSA-r38m-cgpg-qj69 published
Aug 5, 2025 by michituxHigh -
Users with just edit right can enforce required rights with programming rightGHSA-rhfv-688c-p6hp published
May 21, 2025 by michituxModerate -
Privilege escalation through link refactoringGHSA-jm43-hrq7-r7w6 published
Jun 13, 2025 by surliHigh
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database