CVE-2026-23734
XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
| CWE | CWE-23 |
| Vendor | xwiki |
| Product | xwiki-commons |
| Published | May 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for xwiki xwiki-commons
Be the first to know when new unknown vulnerabilities affecting xwiki xwiki-commons are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
xwiki / xwiki-commons
< 16.10.17 >= 17.0.0-rc-1, < 17.4.9 >= 17.5.0, < 17.10.3 >= 18.0.0-rc-1, < 18.1.0-rc-1