Cyber Resilience

CVE-2026-33229

HighPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33229 is a high-severity Missing Authorization (CWE-862) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33229 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the XWiki Platform, a generic wiki platform providing runtime services for applications. In versions prior to 17.4.8 and 17.10.1, an improperly protected scripting API (CWE-862) enables users with script rights to bypass the sandboxing of the Velocity scripting API. This allows execution of arbitrary code, such as Python scripts, granting full access to the XWiki instance.

Any user possessing script rights—who already hold elevated access that should not be granted to untrusted parties—can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation compromises the confidentiality, integrity, and availability of the entire XWiki instance by executing unsandboxed code.

Advisories recommend upgrading to XWiki Platform 17.4.8 or 17.10.1, where the vulnerability is fixed, as detailed in the GitHub security advisory (GHSA-h259-74h5-4rh9), the fixing commit (9fe84da66184c05953df9466cf3a4acd15a46e63), and related JIRA tickets (XWIKI-23698, XWIKI-23702).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity…

more

scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Why these techniques?

Vulnerability in public-facing XWiki web application enables remote code execution (T1190). Bypassing Velocity scripting sandbox facilitates privilege escalation from script rights to full instance access (T1068) and aligns with template injection techniques (T1221).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23025Same product: Xwiki Xwiki
CVE-2025-29926Same product: Xwiki Xwiki
CVE-2025-53836Same product: Xwiki Xwiki
CVE-2025-29924Same product: Xwiki Xwiki
CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-24893Same product: Xwiki Xwiki
CVE-2025-51991Same product: Xwiki Xwiki
CVE-2025-32429Same product: Xwiki Xwiki
CVE-2025-55747Same product: Xwiki Xwiki
CVE-2025-53835Same product: Xwiki Xwiki

Affected Assets

xwiki
xwiki
17.0.0 — 17.4.8 · 17.5.0 — 17.10.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, including applying patches for CVE-2026-33229 to fix the sandbox bypass in the Velocity scripting API.

prevent

AC-6 enforces least privilege by restricting script rights to only trusted users, preventing exploitation of the vulnerable scripting API by untrusted parties.

prevent

AC-3 mandates enforcement mechanisms for access control policies, addressing the improper protection of the scripting API that allowed sandbox bypass.

References