← volver
CVE-2026-33137

XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

CVSS 9.3 CRITICALEPSS 0.6%CWE-862
Vexday Risk Score
48Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 9.3EPSS 0.6%KEV nãoPoC públicaNuclei Metasploit Patch
Ciclo de vida
20 may 2026Publicada en NVD
25 may 2026PoC pública
Recomendación: Planificar corrección próxima — ya existe PoC pública.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Productos afectados
xwiki · xwiki-platform
PoCs públicas encontradas1
githubgithub.com/portbuster1337/CVE-2026-331370
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990fhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4rhttps://jira.xwiki.org/browse/XWIKI-23953