GHSA-h259-74h5-4rh9

Source

https://github.com/advisories/GHSA-h259-74h5-4rh9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h259-74h5-4rh9/GHSA-h259-74h5-4rh9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h259-74h5-4rh9

Aliases

CVE-2026-33229

Published

2026-04-08T15:00:17Z

Modified

2026-04-08T19:36:59.002837Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API

Details

Impact

An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users.

Patches

The vulnerability has been patched in XWiki 17.4.8 and 17.10.1 by requiring programming right to access the affected scripting API.

Workarounds

We're not aware of any workarounds except for being careful whom you grant script right.

Attribution

We thank Youssef Azefzaf for discovering and reporting this vulnerability.

Database specific

{
    "nvd_published_at": "2026-04-08T16:16:23Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed_at": "2026-04-08T15:00:17Z"
}

References

Affected packages

Maven

org.xwiki.platform:xwiki-platform-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.0.0-rc-1

Fixed

17.4.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h259-74h5-4rh9/GHSA-h259-74h5-4rh9.json"

org.xwiki.platform:xwiki-platform-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.5.0-rc-1

Fixed

17.10.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h259-74h5-4rh9/GHSA-h259-74h5-4rh9.json"

org.xwiki.platform:xwiki-platform-legacy-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-legacy-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.0.0-rc-1

Fixed

17.4.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h259-74h5-4rh9/GHSA-h259-74h5-4rh9.json"

org.xwiki.platform:xwiki-platform-legacy-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-legacy-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-legacy-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.5.0-rc-1

Fixed

17.10.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h259-74h5-4rh9/GHSA-h259-74h5-4rh9.json"