CVE-2026-33229
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
Description
### Impact An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. ### Patches The vulnerability has been patched in XWiki 17.4.8 and 17.10.1 by requiring programming right to access the affected scripting API. ### Workarounds We're not aware of any workarounds except for being careful whom you grant script right. ### Attribution We thank Youssef Azefzaf for discovering and reporting this vulnerability.
How to fix CVE-2026-33229
To remediate CVE-2026-33229, upgrade the affected package to a fixed version below.
- —upgrade to 17.4.8 or later
- —upgrade to 17.4.8 or later
Is CVE-2026-33229 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 17.0.0-rc-1, < 17.4.8
- >= 17.0.0-rc-1, < 17.4.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |