GHSA-xq3r-2qv5-vqqm

Suggest an improvement
Source
https://github.com/advisories/GHSA-xq3r-2qv5-vqqm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xq3r-2qv5-vqqm/GHSA-xq3r-2qv5-vqqm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xq3r-2qv5-vqqm
Aliases
Published
2026-05-26T17:16:40Z
Modified
2026-05-26T17:30:09.524270377Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
Details

Impact

It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false.

This can apparently be reproduced on Tomcat instances.

Patches

This has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9, 16.10.17.

Workarounds

There is no known workaround, other than upgrading XWiki.

References

  • https://jira.xwiki.org/browse/XCOMMONS-3547
  • https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

The vulnerability was reported by Michał Kołek.

Database specific 
{
    "github_reviewed_at": "2026-05-26T17:16:40Z",
    "nvd_published_at": "2026-05-20T20:16:36Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-23"
    ]
}
References

Affected packages

Maven
org.xwiki.commons:xwiki-commons-classloader-api

Package

Name
org.xwiki.commons:xwiki-commons-classloader-api
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.commons/xwiki-commons-classloader-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2-milestone-2
Fixed
16.10.17

Affected versions

4.*
4.2-milestone-2
4.2-milestone-3
4.2-rc-1
4.2
4.3-milestone-1
4.3-milestone-2
4.3-rc-1
4.3
4.3.1
4.4-rc-1
4.4
4.4.1
4.5-milestone-1
4.5-rc-1
4.5
4.5.1
4.5.2
4.5.3
5.*
5.0-milestone-1
5.0-milestone-2
5.0-rc-1
5.0
5.0.1
5.0.2
5.0.3
5.1-milestone-1
5.1-milestone-2
5.1-rc-1
5.1
5.2-milestone-1
5.2-milestone-2
5.2-rc-1
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.3-milestone-1
5.3-milestone-2
5.3-rc-1
5.3
5.4-milestone-1
5.4-rc-1
5.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
6.*
6.0-milestone-1
6.0-milestone-2
6.0-rc-1
6.0
6.0.1
6.1-milestone-1
6.1-milestone-2
6.1-rc-1
6.1
6.2-milestone-1
6.2-milestone-2
6.2-rc-1
6.2
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.3-milestone-1
6.3-milestone-2
6.3-rc-1
6.3
6.4-milestone-1
6.4-milestone-2
6.4-milestone-3
6.4-rc-1
6.4
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8
7.*
7.0-milestone-1
7.0-milestone-2
7.0-rc-1
7.0
7.0.1
7.1-milestone-1
7.1-milestone-2
7.1-rc-1
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.2-milestone-1
7.2-milestone-2
7.2-milestone-3
7.2-rc-1
7.2
7.3-milestone-1
7.3-rc-1
7.3
7.4-milestone-1
7.4-milestone-2
7.4-rc-1
7.4
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.6
8.*
8.0-milestone-1
8.0-milestone-2
8.0-rc-1
8.0
8.1-milestone-1
8.1-milestone-2
8.1-rc-1
8.1
8.2-milestone-1
8.2-milestone-2
8.2-rc-1
8.2
8.2.1
8.2.2
8.3-milestone-2
8.3-rc-1
8.3
8.4-rc-1
8.4
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
9.*
9.0-rc-1
9.0
9.1-rc-1
9.1
9.1.1
9.1.2
9.2-rc-1
9.2
9.3-rc-1
9.3
9.3.1
9.4-rc-1
9.4
9.5-rc-1
9.5
9.5.1
9.6-rc-1
9.6
9.7-rc-1
9.7
9.8-rc-1
9.8
9.8.1
9.9-rc-1
9.9-rc-2
9.9
9.10-rc-1
9.10
9.10.1
9.11-rc-1
9.11
9.11.1
9.11.2
9.11.3
9.11.4
9.11.5
9.11.6
9.11.7
9.11.8
9.11.9
10.*
10.0
10.1-rc-1
10.1
10.2
10.3
10.4-rc-1
10.4
10.5-rc-1
10.5
10.6-rc-1
10.6
10.6.1
10.7-rc-1
10.7
10.7.1
10.8-rc-1
10.8
10.8.1
10.8.2
10.8.3
10.9
10.10-rc-1
10.10
10.11-rc-1
10.11
10.11.1
10.11.2
10.11.3
10.11.4
10.11.5
10.11.6
10.11.7
10.11.8
10.11.9
10.11.10
10.11.11
11.*
11.0
11.0.1
11.0.2
11.0.3
11.1-rc-1
11.1
11.2-rc-1
11.2
11.3-rc-1
11.3
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
11.3.6
11.3.7
11.4-rc-1
11.4
11.5-rc-1
11.5
11.6-rc-1
11.6
11.6.1
11.7-rc-1
11.7
11.8-rc-1
11.8
11.8.1
11.9
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
11.10.7
11.10.8
11.10.10
11.10.11
11.10.12
11.10.13
12.*
12.0-rc-1
12.0
12.1-rc-1
12.1
12.2
12.2.1
12.3-rc-1
12.3
12.4-rc-1
12.4
12.5-rc-1
12.5
12.5.1
12.6
12.6.1
12.6.2
12.6.3
12.6.4
12.6.5
12.6.6
12.6.7
12.6.8
12.7-rc-1
12.7
12.7.1
12.8-rc-1
12.8
12.9-rc-1
12.9
12.10
12.10.1
12.10.2
12.10.3
12.10.4
12.10.5
12.10.6
12.10.7
12.10.8
12.10.9
12.10.10
12.10.11
13.*
13.0
13.1-rc-1
13.1
13.2-rc-1
13.2
13.3-rc-1
13.3
13.4-rc-1
13.4
13.4.1
13.4.2
13.4.3
13.4.4
13.4.5
13.4.6
13.4.7
13.5-rc-1
13.5
13.6-rc-1
13.6
13.7-rc-1
13.7
13.8-rc-1
13.8
13.9-rc-1
13.9
13.10-rc-1
13.10
13.10.1
13.10.2
13.10.3
13.10.4
13.10.5
13.10.6
13.10.7
13.10.8
13.10.9
13.10.10
13.10.11
14.*
14.0-rc-1
14.0
14.1-rc-1
14.1
14.2-rc-1
14.2
14.2.1
14.3-rc-1
14.3
14.3.1
14.4-rc-1
14.4
14.4.1
14.4.2
14.4.3
14.4.4
14.4.5
14.4.6
14.4.7
14.4.8
14.5
14.6-rc-1
14.6
14.7-rc-1
14.7
14.8-rc-1
14.8
14.9-rc-1
14.9
14.10
14.10.1
14.10.2
14.10.3
14.10.4
14.10.5
14.10.6
14.10.7
14.10.8
14.10.9
14.10.10
14.10.11
14.10.12
14.10.13
14.10.14
14.10.15
14.10.16
14.10.17
14.10.18
14.10.19
14.10.20
14.10.21
15.*
15.0-rc-1
15.0
15.1-rc-1
15.1
15.2-rc-1
15.2
15.3-rc-1
15.3
15.4-rc-1
15.4
15.5-rc-1
15.5
15.5.1
15.5.2
15.5.3
15.5.4
15.5.5
15.6-rc-1
15.6
15.7-rc-1
15.7
15.8-rc-1
15.8
15.9-rc-1
15.9
15.10-rc-1
15.10
15.10.1
15.10.2
15.10.3
15.10.4
15.10.5
15.10.6
15.10.7
15.10.8
15.10.9
15.10.10
15.10.11
15.10.12
15.10.13
15.10.14
15.10.15
15.10.16
16.*
16.0.0-rc-1
16.0.0
16.1.0-rc-1
16.1.0
16.2.0-rc-1
16.2.0
16.3.0-rc-1
16.3.0
16.3.1
16.4.0-rc-1
16.4.0
16.4.1
16.4.2
16.4.3
16.4.4
16.4.5
16.4.6
16.4.7
16.4.8
16.5.0-rc-1
16.5.0
16.6.0-rc-1
16.6.0
16.7.0
16.7.1
16.8.0-rc-1
16.8.0
16.9.0-rc-1
16.9.0
16.10.0-rc-1
16.10.0
16.10.1
16.10.2
16.10.3
16.10.4
16.10.5
16.10.6
16.10.7
16.10.8
16.10.9
16.10.10
16.10.11
16.10.12
16.10.13
16.10.14
16.10.15
16.10.16

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xq3r-2qv5-vqqm/GHSA-xq3r-2qv5-vqqm.json"
org.xwiki.commons:xwiki-commons-classloader-api

Package

Name
org.xwiki.commons:xwiki-commons-classloader-api
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.commons/xwiki-commons-classloader-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
17.0.0-rc-1
Fixed
17.4.9

Affected versions

17.*
17.0.0-rc-1
17.0.0
17.1.0-rc-1
17.1.0
17.2.0-rc-1
17.2.0
17.2.1
17.2.2
17.3.0-rc-1
17.3.0
17.4.0-rc-1
17.4.0
17.4.1
17.4.2
17.4.3
17.4.4
17.4.5
17.4.6
17.4.7
17.4.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xq3r-2qv5-vqqm/GHSA-xq3r-2qv5-vqqm.json"
org.xwiki.commons:xwiki-commons-classloader-api

Package

Name
org.xwiki.commons:xwiki-commons-classloader-api
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.commons/xwiki-commons-classloader-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
17.5.0
Fixed
17.10.3

Affected versions

17.*
17.5.0
17.6.0-rc-1
17.6.0
17.7.0-rc-1
17.7.0
17.8.0-rc-1
17.8.0
17.9.0-rc-1
17.9.0
17.10.0-rc-1
17.10.0
17.10.1
17.10.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xq3r-2qv5-vqqm/GHSA-xq3r-2qv5-vqqm.json"
org.xwiki.commons:xwiki-commons-classloader-api

Package

Name
org.xwiki.commons:xwiki-commons-classloader-api
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.commons/xwiki-commons-classloader-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
18.0.0-rc-1
Fixed
18.1.0-rc-1

Affected versions

18.*
18.0.0-rc-1
18.0.0
18.0.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xq3r-2qv5-vqqm/GHSA-xq3r-2qv5-vqqm.json"