CVE-2026-40105 MEDIUM

CVE-2026-40105: XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality

Vendor Xwiki
Product xwiki-platform
Weakness CWE-80 · XSS · basic
Published April 15, 2026
Last update April 15, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability (XSS) in the comparison view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. If developers are unable to update immediately, they can apply the patch manually to templates/changesdoc.vm in the deployed WAR.

Key dates

02Disclosure timeline

April 15, 2026 CVE published
April 15, 2026 Record updated