CVE-2026-33137 - Vulnerability Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xwiki

xwiki-platform

affected

Version	Status	Constraints
`< 16.10.17`	affected	—
`>= 17.0.0-rc-1, < 17.4.9`	affected	—
`>= 17.5.0, < 17.10.3`	affected	—
`>= 18.0.0-rc-1, < 18.1.0-rc-1`	affected	—

No data.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r
https://jira.xwiki.org/browse/XWIKI-23953

History

Wed, 20 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
Title		XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
Weaknesses		CWE-862
References		https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r https://jira.xwiki.org/browse/XWIKI-23953
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-20T18:59:17.819Z

Updated: 2026-05-20T18:59:17.819Z

Reserved: 2026-03-17T20:35:49.929Z

Link: CVE-2026-33137

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-20T20:16:37.567

Modified: 2026-05-20T20:16:37.567

Link: CVE-2026-33137

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-862

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object