CVE-2026-40105
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
Description
### Impact A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. ### Patches The problem has been patched by properly escaping the URL parameters. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c#diff-a5e75a4e3820a63c02a32666dda67c73ee7885ab8e7f67e52cfcb3be5a13326e) can be applied manually to `templates/changesdoc.vm` in the deployed WAR. ### Attribution XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.
How to fix CVE-2026-40105
To remediate CVE-2026-40105, upgrade the affected package to a fixed version below.
- —upgrade to 16.10.16 or later
Is CVE-2026-40105 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 10.4-rc-1, < 16.10.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |