GHSA-qrvh-r3f2-9h4r

Source

https://github.com/advisories/GHSA-qrvh-r3f2-9h4r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qrvh-r3f2-9h4r/GHSA-qrvh-r3f2-9h4r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qrvh-r3f2-9h4r

Aliases

CVE-2026-33137

Published

2026-05-26T18:58:19Z

Modified

2026-05-26T19:15:08.643375137Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

Details

Impact

POST /wikis/{wikiName} executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki

Patches

This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

Workarounds

XWiki is not aware of any workarounds other than adding a rule into an HTTP proxy to prevent access POST request in the /wikis/{wikiName}[/] endpoint.

Resources

https://jira.xwiki.org/browse/XWIKI-23953
https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f

For more information

If there are any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Send an email to the Security Mailing List

Attribution

Reported by Sho Odagiri (GMO Cybersecurity by Ierae, Inc.).

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T18:58:19Z",
    "severity": "CRITICAL",
    "nvd_published_at": "2026-05-20T20:16:37Z",
    "cwe_ids": [
        "CWE-862"
    ]
}

References

Affected packages

Maven

org.xwiki.platform:xwiki-platform-rest-server

Package

Name: org.xwiki.platform:xwiki-platform-rest-server; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-rest-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.10.6

Fixed

16.10.17

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qrvh-r3f2-9h4r/GHSA-qrvh-r3f2-9h4r.json"

org.xwiki.platform:xwiki-platform-rest-server

Package

Name: org.xwiki.platform:xwiki-platform-rest-server; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-rest-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.0.0-rc-1

Fixed

17.4.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qrvh-r3f2-9h4r/GHSA-qrvh-r3f2-9h4r.json"

org.xwiki.platform:xwiki-platform-rest-server

Package

Name: org.xwiki.platform:xwiki-platform-rest-server; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-rest-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.5.0

Fixed

17.10.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qrvh-r3f2-9h4r/GHSA-qrvh-r3f2-9h4r.json"

org.xwiki.platform:xwiki-platform-rest-server

Package

Name: org.xwiki.platform:xwiki-platform-rest-server; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-rest-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

18.0.0-rc-1

Fixed

18.1.0-rc-1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qrvh-r3f2-9h4r/GHSA-qrvh-r3f2-9h4r.json"