CVE-2026-23734: XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash

May 26, 2026

It’s possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false.

This can apparently be reproduced on Tomcat instances.

References

github.com/advisories/GHSA-xq3r-2qv5-vqqm
github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf
github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm
jira.xwiki.org/browse/XCOMMONS-3547
nvd.nist.gov/vuln/detail/CVE-2026-23734

Code Behaviors & Features

Detect and mitigate CVE-2026-23734 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →