{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33229", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.507Z", "datePublished": "2026-04-08T14:53:35.977Z", "dateUpdated": "2026-04-08T14:53:35.977Z"}, "containers": {"cna": {"title": "XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63"}, {"name": "https://jira.xwiki.org/browse/XWIKI-23698", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-23698"}, {"name": "https://jira.xwiki.org/browse/XWIKI-23702", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-23702"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 17.0.0-rc-1, < 17.4.8", "status": "affected"}, {"version": ">= 17.5.0-rc-1, < 17.10.1", "status": "affected"}]}, {"vendor": "org.xwiki.platform", "product": "xwiki-platform-legacy-oldcore", "versions": [{"version": ">= 17.0.0-rc-1, < 17.4.8", "status": "affected"}, {"version": ">= 17.5.0-rc-1, < 17.10.1", "status": "affected"}]}, {"vendor": "org.xwiki.platform", "product": "xwiki-platform-oldcore", "versions": [{"version": ">= 17.0.0-rc-1, < 17.4.8", "status": "affected"}, {"version": ">= 17.5.0-rc-1, < 17.10.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:53:35.977Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1."}], "source": {"advisory": "GHSA-h259-74h5-4rh9", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1."}], "id": "CVE-2026-33229", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T16:16:23.430", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63"}, {"source": "security-advisories@github.com", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9"}, {"source": "security-advisories@github.com", "url": "https://jira.xwiki.org/browse/XWIKI-23698"}, {"source": "security-advisories@github.com", "url": "https://jira.xwiki.org/browse/XWIKI-23702"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T17:20:24.508623+00:00", "value": {"mitigation_remediation": ["Upgrade XWiki Platform to version 17.4.8 or later 17.10.1", "Revoke or restrict the script right privilege from accounts that do not require it", "Verify that no untrusted users have script rights by reviewing user permissions", "Check that the application is running a patched version by reviewing release notes", "Enable logging and monitor for unexpected script execution attempts"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all XWiki Platform releases built before versions 17.4.8 and 17.10.1. The impacted products include the legacy OldCore distributions (org.xwiki.platform:xwiki-platform-legacy-oldcore and org.xwiki.platform:xwiki-platform-oldcore) as well as the standard xwiki-platform bundle. Administrators should verify that no untrusted accounts possess the script right privilege.", "description_and_impact": "An improperly protected scripting API in XWiki Platform allows an attacker who has been granted script rights to bypass the Velocity sandbox and execute arbitrary scripts such as Python on the host operating system. This grants the attacker full control over the XWiki instance, compromising confidentiality, integrity, and availability of all data and services, effectively allowing them to modify or delete any content, perform privilege escalation, or launch further attacks against the underlying infrastructure. The flaw reflects a severe access\u2011control issue (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high severity risk. EPSS for this issue is not publicly available, and it is not listed in the CISA KEV catalog, which suggests no confirmed exploitation yet. Based on the description, the likely attack vector is an authenticated user with script rights exploiting the exposed API. Because script rights already provide a high level of access, the risk of exploitation is significant if any such accounts exist in the environment. Prompt remediation is essential to mitigate potential full compromise of the instance."}}}}, "created": "2026-04-08T19:39:10.296251+00:00", "updated": "2026-04-08T19:39:10.296310+00:00", "vendors": []}