CVE-2026-33229: XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don’t recommend giving to untrusted users.
References
- github.com/advisories/GHSA-h259-74h5-4rh9
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9
- jira.xwiki.org/browse/XWIKI-23698
- jira.xwiki.org/browse/XWIKI-23702
- nvd.nist.gov/vuln/detail/CVE-2026-33229
Code Behaviors & Features
Detect and mitigate CVE-2026-33229 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →