CVE-2026-33137 - Vulnerability Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable yes

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xwiki

xwiki-platform

affected

Version	Status	Constraints
`>= 15.10.6, < 16.10.17`	affected	—
`>= 17.0.0-rc-1, < 17.4.9`	affected	—
`>= 17.5.0, < 17.10.3`	affected	—
`>= 18.0.0-rc-1, < 18.1.0-rc-1`	affected	—

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Xwiki Subscribe	Wiki-platform Subscribe

Project Subscriptions

Vendors	Products
Xwiki Subscribe	Wiki-platform Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-qrvh-r3f2-9h4r	XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r
https://jira.xwiki.org/browse/XWIKI-23953

History

Tue, 26 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

Thu, 21 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 21 May 2026 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xwiki Xwiki wiki-platform
Vendors & Products		Xwiki Xwiki wiki-platform

Wed, 20 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
Title		XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
Weaknesses		CWE-862
References		https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r https://jira.xwiki.org/browse/XWIKI-23953
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-20T18:59:17.819Z

Updated: 2026-05-26T18:20:49.991Z

Reserved: 2026-03-17T20:35:49.929Z

Link: CVE-2026-33137

Vulnrichment

Updated: 2026-05-21T13:25:29.397Z

NVD

Status : Deferred

Published: 2026-05-20T20:16:37.567

Modified: 2026-05-26T19:16:27.020

Link: CVE-2026-33137

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T21:30:16Z

Weaknesses

CWE-862

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable yes

Technical Impact total

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object