XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
Remote code execution with script right through unprotected Velocity scripting APIGHSA-h259-74h5-4rh9 published
Apr 8, 2026 by michituxHigh -
Reflected Cross-Site Scripting (XSS) in page history compareGHSA-w4fj-87j5-f25c published
Apr 14, 2026 by michituxModerate -
REST APIs can list all pages/spaces, leading to unavailabilityGHSA-mrqg-xmgm-rc5g published
Apr 14, 2026 by michituxModerate -
Click-jacking through CSS injection in commentsGHSA-74rh-c5rh-88vg published
Feb 12, 2026 by surliModerate -
Reflected Cross-Site Scripting (XSS) in Error MessagesGHSA-wvqx-m5px-6cmp published
Jan 23, 2026 by michituxModerate -
XJetty allow accessing any application file through URLGHSA-53gx-j3p6-2rw9 published
Dec 1, 2025 by tmortagneHigh -
REST APIs don't enforce any limits, leading to unavailability and OOM in large wikisGHSA-cc84-q3v3-mhgf published
Dec 10, 2025 by michituxHigh -
Reflected XSS via xredirect parameter in DeleteApplicationGHSA-7vpr-jm38-wr7w published
Dec 10, 2025 by michituxModerate -
HQL injection via wiki and space search REST APIGHSA-gprp-h92g-gc2h published
Oct 6, 2025 by tmortagneCritical -
Configuration files can be accessed through jsx and sx endpointsGHSA-m63c-3rmg-r2cf published
Sep 3, 2025 by tmortagneCritical
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database