GHSA-vgwr-23fq-pr7g

Suggest an improvement
Source
https://github.com/advisories/GHSA-vgwr-23fq-pr7g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vgwr-23fq-pr7g/GHSA-vgwr-23fq-pr7g.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vgwr-23fq-pr7g
Aliases
  • CVE-2026-48047
Published
2026-05-26T19:33:44Z
Modified
2026-05-26T19:45:09.522575587Z
Severity
  • 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin
Details

Impact

A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requires that the attacker already has admin access to at least a subwiki to be able to install a malicious extension. Further, the attacker needs to publish a malicious extension in an extension repository that is configured in the instance.

Patches

This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, and 18.0.0RC1.

Workarounds

XWiki is not aware of any workarounds except for being careful whom developers grant script and admin rights to.

Resources

  • https://jira.xwiki.org/browse/XWIKI-23902
  • https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c
Database specific 
{
    "github_reviewed_at": "2026-05-26T19:33:44Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-24"
    ]
}
References

Affected packages

Maven
org.xwiki.platform:xwiki-platform-webjars-api

Package

Name
org.xwiki.platform:xwiki-platform-webjars-api
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-webjars-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.6-rc-1
Fixed
16.10.17

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vgwr-23fq-pr7g/GHSA-vgwr-23fq-pr7g.json"
org.xwiki.platform:xwiki-platform-webjars-api

Package

Name
org.xwiki.platform:xwiki-platform-webjars-api
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-webjars-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
17.0.0-rc-1
Fixed
17.4.9

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vgwr-23fq-pr7g/GHSA-vgwr-23fq-pr7g.json"
org.xwiki.platform:xwiki-platform-webjars-api

Package

Name
org.xwiki.platform:xwiki-platform-webjars-api
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-webjars-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
17.5.0-rc-1
Fixed
17.10.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vgwr-23fq-pr7g/GHSA-vgwr-23fq-pr7g.json"