CVE-2026-48048: XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests

May 26, 2026

XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user.

References

github.com/advisories/GHSA-rh28-mqj4-8x59
github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa
github.com/xwiki/xwiki-platform/security/advisories/GHSA-rh28-mqj4-8x59
jira.xwiki.org/browse/XWIKI-23875
nvd.nist.gov/vuln/detail/CVE-2026-48048

Code Behaviors & Features

Detect and mitigate CVE-2026-48048 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →