{"id":"CVE-2026-23734","summary":"XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash","details":"XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.","aliases":["GHSA-xq3r-2qv5-vqqm"],"modified":"2026-06-20T09:55:59.721364Z","published":"2026-05-20T18:39:32.313Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23734.json","cwe_ids":["CWE-23"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://jira.xwiki.org/browse/XCOMMONS-3547"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23734.json"},{"type":"ADVISORY","url":"https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23734"},{"type":"FIX","url":"https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xwiki/xwiki-commons","events":[{"introduced":"0"},{"introduced":"65026305bca6d736adf61a6801a9187195ef431d"},{"introduced":"21ac0093d824f130d0a47c38995241208273720b"},{"introduced":"0f12307c8803e5abd5fe7016bd0adf0850c5f903"},{"introduced":"c867b3899680bc320d9c834ff2e1f4e061989491"},{"fixed":"edd156e6c186725fc73d394b523e18f24650c601"},{"fixed":"f8dc0a25fae452b1cc6fbc57f2f629a2cac9bcf5"},{"fixed":"24ac7cee0ec6fcb2d21883aaaaea4340df26331a"},{"fixed":"ac4c70e676ba83f6908e0c8b8414172c4af25716"},{"fixed":"a979cafd89f6a9c9c0b9ab19744d672df64429bf"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"4.2-milestone-2"},{"fixed":"16.10.17"},{"introduced":"17.0.0-rc-1"},{"fixed":"17.4.9"},{"introduced":"17.5.0"},{"fixed":"17.10.3"},{"introduced":"18.0.0-rc-1"},{"fixed":"18.1.0-rc-1"}]}}],"versions":["xwiki-commons-17.4.8","xwiki-commons-16.10.16","xwiki-commons-17.10.2","xwiki-commons-17.10.1","xwiki-commons-16.10.15","xwiki-commons-17.10.0","xwiki-commons-17.10.0-rc-1","xwiki-commons-17.4.7","xwiki-commons-16.10.14","xwiki-commons-16.10.13","xwiki-commons-17.4.6","xwiki-commons-17.4.5","xwiki-commons-16.10.12","xwiki-commons-16.10.11","xwiki-commons-17.4.4","xwiki-commons-17.4.3","xwiki-commons-16.10.10","xwiki-commons-17.4.2","xwiki-commons-16.10.9","xwiki-commons-17.4.1","xwiki-commons-17.4.0","xwiki-commons-17.4.0-rc-1","xwiki-commons-16.10.8","xwiki-commons-16.10.7","xwiki-commons-16.10.6","xwiki-commons-16.10.5","xwiki-commons-16.10.4","xwiki-commons-16.10.3","xwiki-commons-16.10.2","xwiki-commons-16.10.1","xwiki-commons-16.10.0","xwiki-commons-16.10.0-rc-1","xwiki-commons-8.3-milestone-2","xwiki-commons-8.3-milestone-1","xwiki-commons-8.2-milestone-2","xwiki-commons-8.2-milestone-1","xwiki-commons-8.1-milestone-2","xwiki-commons-8.1-milestone-1","xwiki-commons-8.0-milestone-2","xwiki-commons-8.0-milestone-1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23734.json","vanir_signatures":[{"deprecated":false,"target":{"file":"xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/test/java/org/xwiki/classloader/internal/ClassLoaderUtilsTest.java"},"source":"https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["2948023592146722606491836670185018653","274104245728058916856442530221646087902","138909001934265186495120935438141488604","189722264989612013457392855371978334318","325443459546169335721702422478700535511","248308437212831236273076095235174256875","41782896662997759645816495766191793731","188711983414259152124599187542176373177"]},"id":"CVE-2026-23734-12dea3f1"},{"deprecated":false,"target":{"file":"xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/main/java/org/xwiki/classloader/internal/ClassLoaderUtils.java"},"source":"https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["308989672931439701215515641288251888827","156634038738375471232741595136121852381","50227681565533930959011950212750396681","160201200821243622785031614106229528724","175225849133164330438125518539838979339","249366572244995496268506381131438116119","301035959686307071156626950511214637879","51077397778220341750957244371873746038","270872738632402461207564462793543829467","77959831762428945948369470785563242808","157791561003054887425238913442336212630"]},"id":"CVE-2026-23734-6b1fedcf"},{"deprecated":false,"target":{"function":"getResource","file":"xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/test/java/org/xwiki/classloader/internal/ClassLoaderUtilsTest.java"},"source":"https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf","signature_version":"v1","signature_type":"Function","digest":{"length":1000,"function_hash":"28893803558754679635221987699601855831"},"id":"CVE-2026-23734-81b567d6"},{"deprecated":false,"target":{"function":"getResourceAsStream","file":"xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/test/java/org/xwiki/classloader/internal/ClassLoaderUtilsTest.java"},"source":"https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf","signature_version":"v1","signature_type":"Function","digest":{"length":1002,"function_hash":"148662974130918769542307519163597290942"},"id":"CVE-2026-23734-86ff1272"},{"deprecated":false,"target":{"function":"resolveResourceName","file":"xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/main/java/org/xwiki/classloader/internal/ClassLoaderUtils.java"},"source":"https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf","signature_version":"v1","signature_type":"Function","digest":{"length":640,"function_hash":"77918730999879680585106513262093506912"},"id":"CVE-2026-23734-b05e300f"}],"vanir_signatures_modified":"2026-06-20T09:55:59Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}