[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-23734":6},{"stargazers_count":4,"fetched_at":5},6,"2026-05-20T17:11:50.996Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":26,"aliases":27,"duplicate_of":9,"upstream":28,"downstream":29,"duplicates":30,"related":31,"reserved_at":9,"published_at":32,"modified_at":32,"state":33,"summary":34,"references_raw":41,"kevs":56,"epss":9,"epss_history":57,"metrics":58,"affected":62},"CVE-2026-23734","XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-23","Relative Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as \"..\" that can resolve to a location that is outside of that directory.","weakness","Draft","Base",[19,22],{"id":20,"name":13,"techniques":21},"CAPEC-139",[],{"id":23,"name":24,"techniques":25},"CAPEC-76","Manipulating Web Input to File System Calls",[],[],[],[],[],[],[],"2026-05-20T18:39:32.313Z","PUBLISHED",{"cisa_kev":35,"cisa_ransomware":35,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":36,"severity_score":37,"severity_version":38,"severity_source":39,"severity_vector":40,"severity_status":33},false,"critical",9.3,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[42,47,52],{"url":43,"sources":44,"tags":45},"https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm",[39],[46],"X Refsource CONFIRM",{"url":48,"sources":49,"tags":50},"https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf",[39],[51],"X Refsource MISC",{"url":53,"sources":54,"tags":55},"https://jira.xwiki.org/browse/XCOMMONS-3547",[39],[51],[],[],[59],{"source":39,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":60},{"baseScore":37,"baseSeverity":61,"vectorString":40,"impactScore":9,"exploitabilityScore":9},"CRITICAL",[63],{"ecosystem":9,"name":64,"vendor":65,"product":64,"cpe_part":66,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":67},"xwiki-commons","xwiki","a",[68,73,78,82],{"version":69,"is_range":70,"range_type":39,"version_start":9,"version_start_type":9,"version_end":71,"version_end_type":72,"fixed_in":9},"\u003C 16.10.17",true,"16.10.17","excluding",{"version":74,"is_range":70,"range_type":39,"version_start":75,"version_start_type":76,"version_end":77,"version_end_type":72,"fixed_in":9},">= 17.0.0-rc-1, \u003C 17.4.9","17.0.0-rc-1","including","17.4.9",{"version":79,"is_range":70,"range_type":39,"version_start":80,"version_start_type":76,"version_end":81,"version_end_type":72,"fixed_in":9},">= 17.5.0, \u003C 17.10.3","17.5.0","17.10.3",{"version":83,"is_range":70,"range_type":39,"version_start":84,"version_start_type":76,"version_end":85,"version_end_type":72,"fixed_in":9},">= 18.0.0-rc-1, \u003C 18.1.0-rc-1","18.0.0-rc-1","18.1.0-rc-1"]