CVE-2026-33229
Published: 08 April 2026
Description
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Security Summary
CVE-2026-33229 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the XWiki Platform, a generic wiki platform providing runtime services for applications. In versions prior to 17.4.8 and 17.10.1, an improperly protected scripting API (CWE-862) enables users with script rights to bypass the sandboxing of the Velocity scripting API. This allows execution of arbitrary code, such as Python scripts, granting full access to the XWiki instance.
Any user possessing script rights—who already hold elevated access that should not be granted to untrusted parties—can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation compromises the confidentiality, integrity, and availability of the entire XWiki instance by executing unsandboxed code.
Advisories recommend upgrading to XWiki Platform 17.4.8 or 17.10.1, where the vulnerability is fixed, as detailed in the GitHub security advisory (GHSA-h259-74h5-4rh9), the fixing commit (9fe84da66184c05953df9466cf3a4acd15a46e63), and related JIRA tickets (XWIKI-23698, XWIKI-23702).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing XWiki web application enables remote code execution (T1190). Bypassing Velocity scripting sandbox facilitates privilege escalation from script rights to full instance access (T1068) and aligns with template injection techniques (T1221).