These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-33137 is a critical XWiki Platform vulnerability that allows an unauthenticated attacker to invoke the POST /wikis/{wikiName} API and trigger a XAR import without authentication or authorization checks. In practical terms, that means an attacker can create or update documents in the target wiki remotely, with direct impact to content integrity and potentially broader site trust. The issue was pub [truncated]
CVE-2026-23734 is a critical path traversal issue in XWiki Platform that can let an attacker read configuration files through crafted ssx and jsx resource requests. The problem was publicly disclosed on 2026-05-20 and is patched in 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17.
CVE-2025-24893 affects XWiki Platform and is identified by CISA as a known exploited vulnerability. Because it is in the KEV catalog, defenders should treat it as an active risk and prioritize remediation using vendor guidance, with CISA’s due date set to 2025-11-20.