CVE-2026-48047: XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin

May 26, 2026

A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requires that the attacker already has admin access to at least a subwiki to be able to install a malicious extension. Further, the attacker needs to publish a malicious extension in an extension repository that is configured in the instance.

References

github.com/advisories/GHSA-vgwr-23fq-pr7g
github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c
github.com/xwiki/xwiki-platform/security/advisories/GHSA-vgwr-23fq-pr7g
jira.xwiki.org/browse/XWIKI-23902
nvd.nist.gov/vuln/detail/CVE-2026-48047

Code Behaviors & Features

Detect and mitigate CVE-2026-48047 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →