CVE-2026-44179: xwiki-pro-macros has remote code execution from page title and content via excerpt-include macro

June 22, 2026

The excerpt-include macro does not properly escape the title of the included page and executes the content of the excerpt with the macro’s rights. Therefore, it is vulnerable to XWiki syntax injection via the included page’s title and content, allowing remote code execution for any user who can edit a page.

References

github.com/advisories/GHSA-w56x-9778-rppx
github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-w56x-9778-rppx
nvd.nist.gov/vuln/detail/CVE-2026-44179

Code Behaviors & Features

Detect and mitigate CVE-2026-44179 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →