CRITICAL9.8CVE-2025-32969org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API >= 1.8, < 15.10.16
CRITICAL9.6CVE-2023-37277XWiki Platform vulnerable to cross-site request forgery (CSRF) via the REST API >= 1.8, < 14.10.8
HIGH7.5CVE-2023-35151XWiki Platform may show email addresses in clear in REST results >= 7.3-milestone-1, < 14.4.8
MEDIUM5.3XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
>= 1.8.1, < 14.10.22
MEDIUM5.3XWiki Platform document history including authors of any page exposed to unauthorized actors
>= 1.8.0, < 15.10.9
MEDIUM5.3Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server
>= 8.1, < 13.10.8
—XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
>= 15.10.6, < 16.10.17
—XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis
from 0, < 16.10.11
—XWiki Platform is vulnerable to HQL injection via wiki and space search REST API
>= 17.0.0-rc-1, < 17.4.2
—XWiki makes title of inaccessible pages available through the class property values REST API
>= 10.9, < 16.4.7
—XWiki allows unregistered users to access private pages information through REST endpoint
>= 1.9M1, < 15.10.14