CVE Catalog

CVE-2026-23734

Critical
Published: Translated: NVD NIST

Summary

XWiki Platform versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files via Path Traversal. This can be exploited by manipulating the resource parameter in the ssx and jsx endpoints.

Risk Assessment

Exploitation of this vulnerability may lead to the disclosure of sensitive configuration information, increasing the risk of attacks on the system. Organizations should be aware of the potential threats associated with unauthorized access to configuration files.

Recommendation

It is recommended to upgrade to versions 18.1.0-rc-1, 17.10.3, 17.4.9, or 16.10.17 to mitigate this vulnerability. Additionally, implementing further security measures to restrict access to configuration files is advisable.

Original NVD description (English source)

XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS