CVE-2026-40105: XWiki has Reflected Cross-Site Scripting (XSS) in page history compare

April 14, 2026 (updated April 27, 2026)

A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user’s browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance.

References

github.com/advisories/GHSA-w4fj-87j5-f25c
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c
github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c
jira.xwiki.org/browse/XWIKI-23472
nvd.nist.gov/vuln/detail/CVE-2026-40105

Code Behaviors & Features

Detect and mitigate CVE-2026-40105 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →