CVE-2026-24128: XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages

Published Jan 23, 2026
·
Updated

### Impact A reflected cross site scripting (XSS) vulnerability in XWiki allows an attacker to execute arbitrary actions in XWiki with the rights of the victim if the attacker manages to trick a victim into visiting a crafted URL. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. ### Patches This vulnerability has been patched in XWiki 17.8.0RC1, 17.4.5 and 16.10.12. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf#diff-8f16efedd19baae025db602d8736a105bfd8f72676af2c935b8195a0c356ee71) can be applied manually, only a single line in `templates/logging_macros.vm` needs to be changed, no restart is required. ### References * https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf * https://jira.xwiki.org/browse/XWIKI-23462 ### Attribution We thank Mike Cole @mikecole-mg for discovering and reporting this vulnerability.

Affected Software

10 affected componentsFixes available
maven/org.xwiki.platform:xwiki-platform-web-templates>=17.5.0-rc-1<17.8.0-rc-1
17.8.0-rc-1
maven/org.xwiki.platform:xwiki-platform-web-templates>=17.0.0-rc-1<17.4.5
17.4.5
maven/org.xwiki.platform:xwiki-platform-web-templates>=7.0-milestone-2<16.10.12
16.10.12
XWiki xwiki>=7.0.1<16.10.12
XWiki xwiki>=17.0.1<17.4.5
XWiki xwiki>=17.6.0<17.8.0
XWiki xwiki=7.0-milestone2
XWiki xwiki=7.0-rc1
XWiki xwiki=17.0.0-rc1
XWiki xwiki-rendering=17.5.0-rc1

Remediation

Patch Available

https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf

Patch Available

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp

Event History

Jan 23, 2026
Advisory Published
via GitHub·04:28 PM
Data Sourced
via GitHub·04:28 PM
DescriptionWeaknessAffected Software
CVE Published
via MITRE·11:18 PM
Data Sourced
via MITRE·11:18 PM
DescriptionWeakness
Jan 24, 2026
Data Sourced
via NVD·12:15 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·12:15 AM
RemedyAffected Software
Feb 27, 58104
Event
via FIRST·07:58 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-24128?

CVE-2026-24128 has a critical severity rating due to its potential exploitation allowing attackers to execute arbitrary actions.

2

How do I fix CVE-2026-24128?

To fix CVE-2026-24128, you should upgrade to XWiki versions 17.8.0-rc-1, 17.4.5, or 16.10.12.

3

What type of vulnerability is CVE-2026-24128?

CVE-2026-24128 is a reflected Cross-Site Scripting (XSS) vulnerability.

4

Who is impacted by CVE-2026-24128?

Any users of XWiki versions prior to the mentioned remedy versions are at risk of CVE-2026-24128.

5

What actions can an attacker perform due to CVE-2026-24128?

An attacker can execute arbitrary actions in XWiki using the victim's rights if they exploit CVE-2026-24128.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2026-24128 - XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages - SecAlerts