CVE-2026-48048

Description

### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user. ### Patches The check for password (and email properties) has been adjusted in XWiki 18.0.0RC1, 17.10.13, 17.4.9 and 16.10.17. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a) can be applied manually to the wiki page `XWiki.LiveTableResultsMacros`. ### Resources * https://jira.xwiki.org/browse/XWIKI-23875 * https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa

How to fix CVE-2026-48048

To remediate CVE-2026-48048, upgrade the affected package to a fixed version below.

• —upgrade to 16.10.17 or later

Is CVE-2026-48048 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-48048.

Affected packages (1)

• >= 6.2.1, < 16.10.17

CVSS scores

References (4)

• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-rh28-mqj4-8x59
• WEBjira.xwiki.org/browse/XWIKI-23875