CVE-2026-33229: XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API

Published Apr 8, 2026
·
Updated

### Impact An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. ### Patches The vulnerability has been patched in XWiki 17.4.8 and 17.10.1 by requiring programming right to access the affected scripting API. ### Workarounds We're not aware of any workarounds except for being careful whom you grant script right. ### Attribution We thank Youssef Azefzaf for discovering and reporting this vulnerability.

Affected Software

6 affected componentsFixes available
maven/org.xwiki.platform:xwiki-platform-legacy-oldcore>=17.5.0-rc-1<17.10.1
17.10.1
maven/org.xwiki.platform:xwiki-platform-legacy-oldcore>=17.0.0-rc-1<17.4.8
17.4.8
maven/org.xwiki.platform:xwiki-platform-oldcore>=17.5.0-rc-1<17.10.1
17.10.1
maven/org.xwiki.platform:xwiki-platform-oldcore>=17.0.0-rc-1<17.4.8
17.4.8
XWiki xwiki>=17.0.0<17.4.8
XWiki xwiki>=17.5.0<17.10.1

Remediation

Patch Available

https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63

Patch Available

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9

Event History

Apr 8, 2026
CVE Published
via MITRE·02:53 PM
Data Sourced
via MITRE·02:53 PM
DescriptionWeakness
Advisory Published
via GitHub·03:00 PM
Data Sourced
via GitHub·03:00 PM
DescriptionWeaknessAffected Software
Data Sourced
via NVD·04:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:16 PM
RemedyAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203