CVE-2026-40104: XWiki's REST APIs can list all pages/spaces, leading to unavailability
(updated )
REST API endpoints like /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties list all available pages as part of the metadata for database list properties, which can exhaust available resources on large wikis.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-40104 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →