CVE-2026-40105 Overview
CVE-2026-40105 is a reflected cross-site scripting (XSS) vulnerability in XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it. The vulnerability exists in the comparison view between revisions of a page, allowing attackers to execute arbitrary JavaScript code in a victim's browser. This flaw affects multiple version branches including 10.4-rc-1 through 16.10.15, 17.0.0-rc-1 through 17.4.7, and 17.5.0-rc-1 through 17.10.0.
Critical Impact
If an administrator views a maliciously crafted comparison URL, attackers can compromise the confidentiality, integrity, and availability of the entire XWiki instance through the admin's elevated privileges.
Affected Products
- XWiki Platform versions 10.4-rc-1 through 16.10.15
- XWiki Platform versions 17.0.0-rc-1 through 17.4.7
- XWiki Platform versions 17.5.0-rc-1 through 17.10.0
Discovery Timeline
- 2026-04-15 - CVE CVE-2026-40105 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-40105
Vulnerability Analysis
This reflected XSS vulnerability (CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page) resides in the changesdoc.vm Velocity template file. The flaw occurs when URL parameters for revision comparison (rev1 and rev2) are directly interpolated into generated URLs without proper encoding. When a user accesses a revision comparison view with specially crafted parameters, the malicious payload is reflected back and executed in the context of the user's authenticated session.
The vulnerability is particularly dangerous when targeting administrator users. XWiki administrators possess extensive privileges including the ability to execute server-side code, modify system configurations, manage user accounts, and access sensitive data. An attacker successfully exploiting this vulnerability against an admin could effectively gain full control over the XWiki instance.
Root Cause
The root cause is improper output encoding in the changesdoc.vm template. The vulnerable code directly concatenates user-controlled parameters (previousOrigdocVersion, nextOrigdocVersion, previousNewdocVersion, nextNewdocVersion) into URL query strings using string interpolation rather than proper URL encoding. This allows an attacker to inject script content that breaks out of the URL context and executes in the browser.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a malicious URL containing JavaScript payloads in the revision version parameters. The attacker then tricks a victim (ideally an administrator) into clicking this link, perhaps through phishing or social engineering. When the victim accesses the comparison view, the malicious JavaScript executes in their browser with their session privileges.
// Security patch from changesdoc.vm template
// Source: https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c
## VULNERABLE CODE (before patch):
#set ($changesLink = ${xwiki.getURL($tdoc, 'view', "viewer=changes&rev1=${previousOrigdocVersion}&rev2=${rev2}")})
## FIXED CODE (after patch):
#set ($changesLink = ${xwiki.getURL($tdoc, 'view',
$escapetool.url({'viewer': 'changes', 'rev1': $previousOrigdocVersion, 'rev2': $rev2}))})
The fix replaces direct string interpolation with the $escapetool.url() method, which properly URL-encodes all parameter values, preventing script injection through these parameters.
Detection Methods for CVE-2026-40105
Indicators of Compromise
- Unusual or encoded JavaScript in URL parameters targeting /xwiki/bin/view/ paths with viewer=changes parameter
- Web server logs showing requests to revision comparison views with suspicious rev1 or rev2 parameter values containing script tags or event handlers
- Browser console errors or unexpected script executions when accessing page comparison views
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing script tags or JavaScript event handlers in URL parameters
- Monitor server access logs for anomalous revision comparison requests with encoded or obfuscated payloads
- Deploy Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks by restricting script execution sources
- Use browser-based XSS auditor tools during security testing to identify reflected content
Monitoring Recommendations
- Configure alerting on access log patterns matching XWiki comparison view URLs with abnormally long or encoded parameters
- Monitor for failed or unusual administrative actions that may indicate a compromised admin session
- Review authentication logs for administrator accounts accessing XWiki from unexpected IP addresses or locations
How to Mitigate CVE-2026-40105
Immediate Actions Required
- Update XWiki Platform to version 16.10.16, 17.4.8, or 17.10.1 or later immediately
- Review web server access logs for potential exploitation attempts targeting the comparison view functionality
- Advise administrators to avoid clicking untrusted links while logged into XWiki
- Implement Content Security Policy headers to reduce XSS impact as a defense-in-depth measure
Patch Information
XWiki has released patched versions addressing this vulnerability. Users should upgrade to version 16.10.16, 17.4.8, or 17.10.1 or later depending on their version branch. The security fix is documented in commit 3c8a2ec985641367015c2db937574fcd360c788c. For additional details, refer to the GitHub Security Advisory and XWiki Jira Issue XWIKI-23472.
Workarounds
- If immediate upgrade is not possible, manually apply the patch to templates/changesdoc.vm in the deployed WAR file
- Replace direct string interpolation with $escapetool.url() method calls as shown in the GitHub Commit
- Restrict access to XWiki revision comparison functionality at the network layer until patching is complete
# Workaround: Manual patch application
# Navigate to your XWiki deployment directory
cd /path/to/xwiki/webapp/templates/
# Backup the original file
cp changesdoc.vm changesdoc.vm.backup
# Apply the patch manually by replacing vulnerable URL generation
# Change lines using direct string interpolation like:
# "viewer=changes&rev1=${previousOrigdocVersion}&rev2=${rev2}"
# To use escapetool.url() method:
# $escapetool.url({'viewer': 'changes', 'rev1': $previousOrigdocVersion, 'rev2': $rev2})
# Restart XWiki after applying the patch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
