CVE-2026-40104

HIGH 8.2

XWiki's REST APIs can list all pages/spaces, leading to unavailability

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

11th

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1.

CWE	CWE-770
Vendor	xwiki
Product	org.xwiki.platform:xwiki-platform-oldcore
Published	Apr 15, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for xwiki org.xwiki.platform:xwiki-platform-oldcore

Be the first to know when new high vulnerabilities affecting xwiki org.xwiki.platform:xwiki-platform-oldcore are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

xwiki / org.xwiki.platform:xwiki-platform-oldcore

>= 1.8-rc-1, < 16.10.16 >= 17.0.0-rc-1, < 17.4.8 >= 17.5.0-rc-1, < 17.10.1

xwiki / org.xwiki.platform:xwiki-platform-legacy-oldcore

>= 1.8-rc-1, < 16.10.16 >= 17.0.0-rc-1, < 17.4.8 >= 17.5.0-rc-1, < 17.10.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g github.com: https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7 jira.xwiki.org: https://jira.xwiki.org/browse/XWIKI-23550