Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
XWiki page history compare allows malicious JavaScript execution
GHSA-w4fj-87j5-f25c
CVE-2026-40105
Summary
A security flaw in XWiki's page history compare feature allows an attacker to execute malicious code in the user's browser. If the user is an administrator, this could compromise the entire XWiki instance. To fix the issue, update your XWiki installation with the latest patched version or apply the workaround provided by XWiki.
What to do
- Update xwiki org.xwiki.platform:xwiki-platform-web-templates to version 16.10.16.
- Update xwiki org.xwiki.platform:xwiki-platform-web-templates to version 17.4.8.
- Update xwiki org.xwiki.platform:xwiki-platform-web-templates to version 17.10.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| maven | xwiki | org.xwiki.platform:xwiki-platform-web-templates |
>= 10.4-rc-1, < 16.10.16 >= 17.0.0-rc-1, < 17.4.8 >= 17.5.0-rc-1, < 17.10.1 Fix: upgrade to 16.10.16
|
Original title
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
Original description
### Impact
A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance.
### Patches
The problem has been patched by properly escaping the URL parameters.
### Workarounds
The [patch](https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c#diff-a5e75a4e3820a63c02a32666dda67c73ee7885ab8e7f67e52cfcb3be5a13326e) can be applied manually to `templates/changesdoc.vm` in the deployed WAR.
### Attribution
XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.
A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance.
### Patches
The problem has been patched by properly escaping the URL parameters.
### Workarounds
The [patch](https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c#diff-a5e75a4e3820a63c02a32666dda67c73ee7885ab8e7f67e52cfcb3be5a13326e) can be applied manually to `templates/changesdoc.vm` in the deployed WAR.
### Attribution
XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.
ghsa CVSS4.0
6.5
Vulnerability type
CWE-80
Basic XSS
Published: 14 Apr 2026 · Updated: 16 Apr 2026 · First seen: 14 Apr 2026