XWiki Rendering Vulnerability

HIGH (8.8) Patch Available Patch Patch

cwe-94 cwe-95 html-injection rce remote-code-execution rendering security-breach vulnerability xwiki

Threat Intelligence

Medium Risk - Detectable

EPSS Score: 0.39% chance of exploitation (percentile: 60%)

🔍 Detection Tools: OSV.dev

⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

XWiki Rendering is a generic rendering system that converts textual input in a given syntax into another syntax. This vulnerability allows attackers to execute arbitrary code on your server by exploiting insufficient protection against {{/html}} injection. If an attacker can edit their own profile or any other document, they can inject malicious script macros, leading to remote code execution and unrestricted access to all wiki contents.

Am I affected?

You're affected if you use XWiki Rendering. Affected versions: 17.5.0, 16.10.9, 17.4.2

Affected Packages

maven: org.xwiki.rendering:xwiki-rendering-xml

Affected Products

XWiki / XWiki Rendering

How to fix

To fix this vulnerability, upgrade to a version with a patch. You can do this by:

Upgrading to XWiki 16.10.10
Upgrading to XWiki 17.4.3
Upgrading to XWiki 17.6.0-rc-1

Immediate mitigations include restricting network access to your XWiki instance and auditing admin account activity for suspicious access patterns.