Platform
java
Component
org.xwiki.platform:xwiki-platform-oldcore
Fixed in
1.0.1
16.0.1
16.5.1
15.10.16
CVE-2024-56158 describes a critical SQL Injection vulnerability discovered in XWiki Platform. This flaw allows attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions prior to 15.10.16, 16.4.7, and 16.10.2. Patches are available to address this issue.
The SQL Injection vulnerability in XWiki Platform allows an attacker to leverage functions like DBMSXMLGEN or DBMSXMLQUERY within HQL queries. Because the XWiki query validator fails to sanitize these functions, Hibernate permits their use in native SQL queries. Successful exploitation enables an attacker to bypass security controls and directly interact with the underlying database. This can lead to the extraction of sensitive data, modification of critical system configurations, or even complete system takeover. The potential impact is significant, particularly in environments where XWiki is used to manage sensitive information or integrate with other critical systems.
While no active exploitation campaigns have been publicly reported, the severity of the vulnerability (CVSS 9.5) and the ease of exploitation (due to the use of standard SQL functions) suggest a high likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability description provides sufficient detail for attackers to develop their own exploits. The vulnerability was disclosed on June 12, 2025.
Exploit Status
EPSS
0.71% (72% percentile)
CISA SSVC
The primary mitigation for CVE-2024-56158 is to upgrade XWiki Platform to a patched version: 15.10.16, 16.4.7, or 16.10.2. Unfortunately, there are no known workarounds beyond upgrading. Prior to upgrading, it is crucial to review the XWiki release notes for any potential breaking changes and plan a rollback strategy if necessary. After upgrading, verify the fix by attempting to execute a SQL query through the vulnerable endpoint and confirming that it is properly sanitized and rejected.
Update XWiki to version 16.10.2, 16.4.7, or 15.10.16, or a later version. These versions contain a fix for the SQL injection vulnerability. The update will prevent the execution of unauthorized SQL queries in the Oracle database.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-56158 is a critical SQL Injection vulnerability in XWiki Platform allowing attackers to execute arbitrary SQL queries, potentially leading to data breaches and system compromise.
You are affected if you are running XWiki Platform versions prior to 15.10.16, 16.4.7, or 16.10.2. Upgrade immediately to mitigate the risk.
Upgrade XWiki Platform to version 15.10.16, 16.4.7, or 16.10.2. There are no known workarounds besides upgrading.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official XWiki advisory on their Jira instance: https://jira.xwiki.org/browse/XWIKI-22734
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.