CVE-2026-23734

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23734
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23734.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-23734
Aliases
Published
2026-05-20T18:39:32.313Z
Modified
2026-06-20T09:55:59.721364Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash
Details

XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23734.json",
    "cwe_ids": [
        "CWE-23"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-commons
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Introduced
65026305bca6d736adf61a6801a9187195ef431d
Introduced
21ac0093d824f130d0a47c38995241208273720b
Introduced
0f12307c8803e5abd5fe7016bd0adf0850c5f903
Introduced
c867b3899680bc320d9c834ff2e1f4e061989491
Fixed
edd156e6c186725fc73d394b523e18f24650c601
Fixed
f8dc0a25fae452b1cc6fbc57f2f629a2cac9bcf5
Fixed
24ac7cee0ec6fcb2d21883aaaaea4340df26331a
Fixed
ac4c70e676ba83f6908e0c8b8414172c4af25716
Fixed
a979cafd89f6a9c9c0b9ab19744d672df64429bf
Database specific 
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "4.2-milestone-2"
        },
        {
            "fixed": "16.10.17"
        },
        {
            "introduced": "17.0.0-rc-1"
        },
        {
            "fixed": "17.4.9"
        },
        {
            "introduced": "17.5.0"
        },
        {
            "fixed": "17.10.3"
        },
        {
            "introduced": "18.0.0-rc-1"
        },
        {
            "fixed": "18.1.0-rc-1"
        }
    ]
}

Affected versions

xwiki-commons-16.*
xwiki-commons-16.10.0
xwiki-commons-16.10.0-rc-1
xwiki-commons-16.10.1
xwiki-commons-16.10.10
xwiki-commons-16.10.11
xwiki-commons-16.10.12
xwiki-commons-16.10.13
xwiki-commons-16.10.14
xwiki-commons-16.10.15
xwiki-commons-16.10.16
xwiki-commons-16.10.2
xwiki-commons-16.10.3
xwiki-commons-16.10.4
xwiki-commons-16.10.5
xwiki-commons-16.10.6
xwiki-commons-16.10.7
xwiki-commons-16.10.8
xwiki-commons-16.10.9
xwiki-commons-17.*
xwiki-commons-17.10.0
xwiki-commons-17.10.0-rc-1
xwiki-commons-17.10.1
xwiki-commons-17.10.2
xwiki-commons-17.4.0
xwiki-commons-17.4.0-rc-1
xwiki-commons-17.4.1
xwiki-commons-17.4.2
xwiki-commons-17.4.3
xwiki-commons-17.4.4
xwiki-commons-17.4.5
xwiki-commons-17.4.6
xwiki-commons-17.4.7
xwiki-commons-17.4.8
xwiki-commons-8.*
xwiki-commons-8.0-milestone-1
xwiki-commons-8.0-milestone-2
xwiki-commons-8.1-milestone-1
xwiki-commons-8.1-milestone-2
xwiki-commons-8.2-milestone-1
xwiki-commons-8.2-milestone-2
xwiki-commons-8.3-milestone-1
xwiki-commons-8.3-milestone-2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23734.json"
vanir_signatures 
[
    {
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/test/java/org/xwiki/classloader/internal/ClassLoaderUtilsTest.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "2948023592146722606491836670185018653",
                "274104245728058916856442530221646087902",
                "138909001934265186495120935438141488604",
                "189722264989612013457392855371978334318",
                "325443459546169335721702422478700535511",
                "248308437212831236273076095235174256875",
                "41782896662997759645816495766191793731",
                "188711983414259152124599187542176373177"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2026-23734-12dea3f1",
        "source": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf",
        "signature_version": "v1",
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/main/java/org/xwiki/classloader/internal/ClassLoaderUtils.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "308989672931439701215515641288251888827",
                "156634038738375471232741595136121852381",
                "50227681565533930959011950212750396681",
                "160201200821243622785031614106229528724",
                "175225849133164330438125518539838979339",
                "249366572244995496268506381131438116119",
                "301035959686307071156626950511214637879",
                "51077397778220341750957244371873746038",
                "270872738632402461207564462793543829467",
                "77959831762428945948369470785563242808",
                "157791561003054887425238913442336212630"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2026-23734-6b1fedcf",
        "source": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf",
        "signature_version": "v1",
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/test/java/org/xwiki/classloader/internal/ClassLoaderUtilsTest.java",
            "function": "getResource"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "28893803558754679635221987699601855831",
            "length": 1000.0
        },
        "id": "CVE-2026-23734-81b567d6",
        "source": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf",
        "signature_version": "v1",
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/test/java/org/xwiki/classloader/internal/ClassLoaderUtilsTest.java",
            "function": "getResourceAsStream"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "148662974130918769542307519163597290942",
            "length": 1002.0
        },
        "id": "CVE-2026-23734-86ff1272",
        "source": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf",
        "signature_version": "v1",
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/main/java/org/xwiki/classloader/internal/ClassLoaderUtils.java",
            "function": "resolveResourceName"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "77918730999879680585106513262093506912",
            "length": 640.0
        },
        "id": "CVE-2026-23734-b05e300f",
        "source": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf",
        "signature_version": "v1",
        "signature_type": "Function"
    }
]
vanir_signatures_modified 
"2026-06-20T09:55:59Z"