GHSA-rh28-mqj4-8x59

Suggest an improvement
Source
https://github.com/advisories/GHSA-rh28-mqj4-8x59
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rh28-mqj4-8x59/GHSA-rh28-mqj4-8x59.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-rh28-mqj4-8x59
Aliases
  • CVE-2026-48048
Published
2026-05-26T20:16:59Z
Modified
2026-05-26T20:30:09.371785109Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests
Details

Impact

XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user.

Patches

The check for password (and email properties) has been adjusted in XWiki 18.0.0RC1, 17.10.13, 17.4.9 and 16.10.17.

Workarounds

The patch can be applied manually to the wiki page XWiki.LiveTableResultsMacros.

Resources

  • https://jira.xwiki.org/browse/XWIKI-23875
  • https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa
Database specific 
{
    "severity": "HIGH",
    "nvd_published_at": null,
    "github_reviewed_at": "2026-05-26T20:16:59Z",
    "cwe_ids": [
        "CWE-359"
    ],
    "github_reviewed": true
}
References

Affected packages

Maven
org.xwiki.platform:xwiki-platform-livetable-ui

Package

Name
org.xwiki.platform:xwiki-platform-livetable-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-livetable-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.1
Fixed
16.10.17

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rh28-mqj4-8x59/GHSA-rh28-mqj4-8x59.json"
org.xwiki.platform:xwiki-platform-livetable-ui

Package

Name
org.xwiki.platform:xwiki-platform-livetable-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-livetable-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
17.0.0-rc-1
Fixed
17.4.9

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rh28-mqj4-8x59/GHSA-rh28-mqj4-8x59.json"
org.xwiki.platform:xwiki-platform-livetable-ui

Package

Name
org.xwiki.platform:xwiki-platform-livetable-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-livetable-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
17.5.0-rc-1
Fixed
17.10.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rh28-mqj4-8x59/GHSA-rh28-mqj4-8x59.json"