CVE-2026-40105
MEDIUM6.1EPSS 0.74%XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
Description
### Impact A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. ### Patches The problem has been patched by properly escaping the URL parameters. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c#diff-a5e75a4e3820a63c02a32666dda67c73ee7885ab8e7f67e52cfcb3be5a13326e) can be applied manually to `templates/changesdoc.vm` in the deployed WAR. ### Attribution XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.
Affected packages (1)
- Maven/org.xwiki.platform:xwiki-platform-web-templates>= 10.4-rc-1, < 16.10.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-40105
- PATCHhttps://github.com/xwiki/xwiki-platform
- WEBhttps://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c
- WEBhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c
- WEBhttps://jira.xwiki.org/browse/XWIKI-23472