CVE-2024-56158 CRITICAL

CVE-2024-56158: XWiki allows SQL injection in query endpoint of REST API with Oracle

Vendor Xwiki
Product xwiki-platform
Weakness CWE-89 · SQLi
Published June 12, 2025
Last update January 12, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.

Key dates

02Disclosure timeline

June 12, 2025 CVE published
January 12, 2026 Record updated