GCVE - cpe:2.3:a:xwiki:xwiki:6.1:milestone1:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:xwiki:xwiki:6.1:milestone1:*:*:*:*:*:*

part: a version: 6.1 update: milestone1

Vendor	Xwiki (`cdc9c0cd-6ac5-5dc0-9f52-915ebd57f20d`)
Product	Xwiki (`2fad5bf8-5703-5dac-bd8d-95a867c2e84d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:docker/xwiki/xwiki`	purl2cpe	2026-06-01 10:18:15.850649
`pkg:github/xwiki/xwiki-platform`	purl2cpe	2026-06-01 10:18:15.850651
`pkg:gitlab/q-phillips/xwiki-platform`	purl2cpe	2026-06-01 10:18:15.850652
`pkg:xwiki/xwiki`	purl2cpe	2026-06-01 10:18:15.850654

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-32972`	vulnerable	2026-06-03 15:00:42.556324	The lesscss script service allows cache clearing without programming right LOW (2.7) XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1. Published: 2025-04-30T14:54:58.945Z Updated: 2025-04-30T15:17:31.398Z Open on db.gcve.eu Reference links https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87 https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e https://jira.xwiki.org/browse/XWIKI-22462	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-35162`	vulnerable	2026-06-03 14:52:17.906765	XPlatform Wiki vulnerable to cross-site scripting via xcontinue parameter in preview actions template CRITICAL (9.7) XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by using URL such as: > <hostname>/xwiki/bin/get/FlamingoThemes/Cerulean xpage=xpart&vm=previewactions.vm&xcontinue=javascript:alert(document.domain). This vulnerability exists since XWiki 6.1-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. Published: 2023-06-23T18:52:19.725Z Updated: 2024-11-29T14:25:46.790Z Open on db.gcve.eu Reference links https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q9hg-9qj2-mxf9 https://github.com/xwiki/xwiki-platform/commit/9f01166b1a8ee9639666099eb5040302df067e4d https://jira.xwiki.org/browse/XWIKI-20342 https://jira.xwiki.org/browse/XWIKI-20583	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.