Platform
java
Component
xwiki-platform
Fixed in
17.0.1
17.5.1
17.0.1
17.5.1
17.0.1
17.5.1
CVE-2026-33229 is a Remote Code Execution (RCE) vulnerability affecting the XWiki Platform. This flaw arises from an improperly protected scripting API, enabling users with script rights to bypass the Velocity scripting API's sandboxing and execute arbitrary code, potentially granting full access to the XWiki instance. The vulnerability impacts versions 17.0.0-rc-1 through 17.10.1, excluding 17.4.8 and later. A patch is available in version 17.4.8.
Exploit Status
EPSS
0.15% (36% percentile)
Actualice XWiki Platform a la versión 17.4.8 o superior, o a la versión 17.10.1 o superior. Esta actualización corrige una vulnerabilidad de ejecución remota de código al proteger adecuadamente la API de scripting Velocity, evitando que los usuarios con permisos de script ejecuten código arbitrario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33229 is a Remote Code Execution (RCE) vulnerability in XWiki Platform. It allows users with script rights to bypass the sandboxing of the Velocity scripting API and execute arbitrary code, potentially compromising the entire XWiki instance.
You are potentially affected if you are running XWiki Platform versions 17.0.0-rc-1 through 17.5.0-rc-1, or between 17.5.0-rc-1 and 17.10.1 (excluding 17.4.8 and later).
Upgrade to XWiki Platform version 17.4.8 or later to address this vulnerability. Ensure that script rights are not granted to untrusted users to minimize potential impact.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.