CVE-2026-33137
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
| CWE | CWE-862 |
| Vendor | xwiki |
| Product | xwiki-platform |
| Published | May 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for xwiki xwiki-platform
Be the first to know when new unknown vulnerabilities affecting xwiki xwiki-platform are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
xwiki / xwiki-platform
< 16.10.17 >= 17.0.0-rc-1, < 17.4.9 >= 17.5.0, < 17.10.3 >= 18.0.0-rc-1, < 18.1.0-rc-1