CVE-2026-33229
Published: 08 April 2026
Summary
CVE-2026-33229 is a critical-severity Missing Authorization (CWE-862) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, including applying patches for CVE-2026-33229 to fix the sandbox bypass in the Velocity scripting API.
AC-6 enforces least privilege by restricting script rights to only trusted users, preventing exploitation of the vulnerable scripting API by untrusted parties.
AC-3 mandates enforcement mechanisms for access control policies, addressing the improper protection of the scripting API that allowed sandbox bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing XWiki web application enables remote code execution (T1190). Bypassing Velocity scripting sandbox facilitates privilege escalation from script rights to full instance access (T1068) and aligns with template injection techniques (T1221).
NVD Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity…
more
scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
Deeper analysisAI
CVE-2026-33229 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the XWiki Platform, a generic wiki platform providing runtime services for applications. In versions prior to 17.4.8 and 17.10.1, an improperly protected scripting API (CWE-862) enables users with script rights to bypass the sandboxing of the Velocity scripting API. This allows execution of arbitrary code, such as Python scripts, granting full access to the XWiki instance.
Any user possessing script rights—who already hold elevated access that should not be granted to untrusted parties—can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation compromises the confidentiality, integrity, and availability of the entire XWiki instance by executing unsandboxed code.
Advisories recommend upgrading to XWiki Platform 17.4.8 or 17.10.1, where the vulnerability is fixed, as detailed in the GitHub security advisory (GHSA-h259-74h5-4rh9), the fixing commit (9fe84da66184c05953df9466cf3a4acd15a46e63), and related JIRA tickets (XWIKI-23698, XWIKI-23702).
Details
- CWE(s)