Log, Stock, and Barrel: XSS in XWiki's Logging Macros
Vulnerability ID: CVE-2026-24128
CVSS Score: Critical (Vendor Assessment)
Published: 2026-01-23
A reflected Cross-Site Scripting (XSS) vulnerability in the XWiki Platform's logging infrastructure allows attackers to inject malicious scripts via crafted extension identifiers, targeting administrators viewing system logs.
TL;DR
XWiki Platform trusted user input a little too much in its logging_macros.vm template. By supplying a malicious extension ID during an installation request, an attacker can poison the logs. When an admin views these logs to debug the failure, the script executes, potentially leading to session hijacking. Fixed in versions 16.10.12, 17.4.5, and 17.8.0-rc-1.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: Critical (Vendor Internal)
- Impact: Session Hijacking / Potential RCE
- Exploit Status: PoC Available (Theoretical)
- KEV Status: Not Listed
Affected Systems
- XWiki Platform
-
XWiki Platform: >= 7.0-milestone-2, < 16.10.12 (Fixed in:
16.10.12) -
XWiki Platform: >= 17.0, < 17.4.5 (Fixed in:
17.4.5) -
XWiki Platform: >= 17.5, < 17.8.0-rc-1 (Fixed in:
17.8.0-rc-1)
Code Analysis
Commit: 8337ac8
Fix injection in logging macros
--- a/.../logging_macros.vm
+++ b/.../logging_macros.vm
- #set ($_extensionName = $argument)
+ #set ($_extensionName = $!escapetool.xml($argument))
Exploit Details
- Manual Analysis: Exploit involves passing HTML tags in extension ID parameters.
Mitigation Strategies
- Input Sanitization
- Output Encoding
- Content Security Policy (CSP)
Remediation Steps:
- Upgrade XWiki Platform to version 16.10.12, 17.4.5, or 17.8.0-rc-1.
- Verify the integrity of
logging_macros.vmif manual patching was attempted. - Clear browser caches to ensure the new template logic is loaded.
References
Read the full report for CVE-2026-24128 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)