PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23734 xwiki CVE debrief

CVE-2026-23734 is a critical path traversal issue in XWiki Platform that can let an attacker read configuration files through crafted ssx and jsx resource requests. The problem was publicly disclosed on 2026-05-20 and is patched in 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17.

Vendor
xwiki
Product
xwiki-commons
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-21
Advisory published
2026-05-20
Advisory updated
2026-05-21

Who should care

Administrators and operators of XWiki Platform instances, especially anyone exposing ssx or jsx endpoints to untrusted networks. Security teams should pay particular attention if XWiki configuration files may contain secrets, database credentials, or other sensitive deployment details.

Technical summary

According to the NVD record and linked GitHub Security Advisory, versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow path traversal via the resources parameter on ssx and jsx endpoints when leading slashes are used. The example request shown in the description demonstrates that a crafted resource path can reach WEB-INF/xwiki.cfg, enabling unauthorized read access to configuration files. The advisory maps the weakness to CWE-23 (Relative Path Traversal).

Defensive priority

Urgent. The CVSS 9.3 Critical rating and the ability to read configuration files justify immediate patching and exposure review, even if no active exploitation is known from the provided corpus.

Recommended defensive actions

  • Upgrade XWiki Platform to a fixed release: 18.1.0-rc-1, 17.10.3, 17.4.9, or 16.10.17, depending on your branch.
  • Restrict network access to XWiki administrative and rendering endpoints, including ssx and jsx, until patched.
  • Audit logs for suspicious requests to ssx/jsx endpoints that use the resources parameter with traversal patterns or leading slashes.
  • Review whether exposed configuration files may contain credentials, tokens, or other secrets, and rotate any sensitive values if exposure is suspected.
  • Validate that reverse proxies, WAF rules, and application routing do not unintentionally broaden access to internal XWiki paths.

Evidence notes

The vulnerability description in the NVD record states that XWiki Platform versions before the listed fixed releases allow configuration-file read access through crafted ssx/jsx resource URLs, leading to path traversal. The GitHub Security Advisory reference and the linked XWiki commit support that a code-level fix was released. The Jira ticket reference provides the project-tracked issue context. This summary stays within the supplied corpus and official links.

Official resources

Publicly disclosed on 2026-05-20 in the NVD record and associated GitHub Security Advisory references. The supplied record shows the issue as received by NVD on the same date and patched in the fixed releases listed above.