XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
- XJetty allow accessing any application file through URLGHSA-53gx-j3p6-2rw9 published
Dec 1, 2025 by tmortagneHigh - REST APIs don't enforce any limits, leading to unavailability and OOM in large wikisGHSA-cc84-q3v3-mhgf published
Dec 10, 2025 by michituxHigh - Reflected XSS via xredirect parameter in DeleteApplicationGHSA-7vpr-jm38-wr7w published
Dec 10, 2025 by michituxModerate - HQL injection via wiki and space search REST APIGHSA-gprp-h92g-gc2h published
Oct 6, 2025 by tmortagneCritical - Configuration files can be accessed through jsx and sx endpointsGHSA-m63c-3rmg-r2cf published
Sep 3, 2025 by tmortagneCritical - Configuration files can be accessed through the webjars APIGHSA-qww7-89xh-x7m7 published
Sep 3, 2025 by tmortagneCritical - PDF export jobs store sensitive cookies unencrypted in job statusesGHSA-9m7c-m33f-3429 published
Aug 28, 2025 by mfloreaModerate - Reflected XSS in two templatesGHSA-m9x4-w7p9-mxhx published
Aug 5, 2025 by michituxModerate - SQL injection through getdeleteddocuments.vm template sort parameterGHSA-vr59-gm53-v7cq published
Jul 24, 2025 by tmortagneCritical - SQL injection through XWiki#searchDocuments APIGHSA-p9qm-p942-q3w5 published
Jul 25, 2025 by tmortagneHigh
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database