CVE-2026-33137

Published: Mag 20, 2026 Last Modified: Mag 20, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

862

Missing Authorization

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Access Control Availability

Potential Impacts:

Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)

Applicable Platforms

Technologies: AI/ML, Web Server, Database Server, Not Technology-Specific

Likelihood of Exploit: High

View CWE Details

https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256…

https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f52…

https://github.com/xwiki/xwiki-platform/security/advisories…

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r

https://jira.xwiki.org/browse/XWIKI-23953

CVE-2026-33137

Description

Missing Authorization

Common Consequences

Applicable Platforms

Iscriviti alla newsletter