[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-33137":6},{"stargazers_count":4,"fetched_at":5},6,"2026-05-20T17:11:50.996Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":229,"aliases":230,"duplicate_of":9,"upstream":231,"downstream":232,"duplicates":233,"related":234,"reserved_at":9,"published_at":235,"modified_at":235,"state":236,"summary":237,"references_raw":244,"kevs":259,"epss":9,"epss_history":260,"metrics":261,"affected":265},"CVE-2026-33137","XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-862","Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.","weakness","Incomplete","Class","High",[20],{"id":21,"name":22,"techniques":23},"CAPEC-665","Exploitation of Thunderbolt Protection Flaws",[24,61,101],{"id":25,"name":26,"tactics":27,"countermeasures":34},"T1211","Exploitation for Stealth",[28,31],{"id":29,"name":30},"TA0030","Defense Evasion",{"id":32,"name":33},"TA0005","Stealth",[35,40,44,48,53,57],{"id":36,"name":37,"tactic":38},"D3-MBT","Memory Boundary Tracking",{"name":39},"Detect",{"id":41,"name":42,"tactic":43},"D3-PCSV","Process Code Segment Verification",{"name":39},{"id":45,"name":46,"tactic":47},"D3-SSC","Shadow Stack Comparisons",{"name":39},{"id":49,"name":50,"tactic":51},"D3-PSEP","Process Segment Execution Prevention",{"name":52},"Harden",{"id":54,"name":55,"tactic":56},"D3-SAOR","Segment Address Offset Randomization",{"name":52},{"id":58,"name":59,"tactic":60},"D3-SFCV","Stack Frame Canary Validation",{"name":52},{"id":62,"name":63,"tactics":64,"countermeasures":70},"T1542.002","Component Firmware",[65,66,67],{"id":29,"name":30},{"id":32,"name":33},{"id":68,"name":69},"TA0110","Persistence",[71,76,80,84,88,92,96],{"id":72,"name":73,"tactic":74},"D3-SWI","Software Inventory",{"name":75},"Model",{"id":77,"name":78,"tactic":79},"D3-AVE","Asset Vulnerability Enumeration",{"name":75},{"id":81,"name":82,"tactic":83},"D3-FEMC","Firmware Embedded Monitoring Code",{"name":39},{"id":85,"name":86,"tactic":87},"D3-FV","Firmware Verification",{"name":39},{"id":89,"name":90,"tactic":91},"D3-FBA","Firmware Behavior Analysis",{"name":39},{"id":93,"name":94,"tactic":95},"D3-SU","Software Update",{"name":52},{"id":97,"name":98,"tactic":99},"D3-RS","Restore Software",{"name":100},"Restore",{"id":102,"name":103,"tactics":104,"countermeasures":113},"T1556","Modify Authentication Process",[105,106,109,110],{"id":29,"name":30},{"id":107,"name":108},"TA0112","Defense Impairment",{"id":68,"name":69},{"id":111,"name":112},"TA0031","Credential Access",[114,118,122,126,130,134,138,142,146,150,155,159,163,167,171,176,180,184,188,193,197,201,205,209,213,217,221,225],{"id":115,"name":116,"tactic":117},"D3-CI","Configuration Inventory",{"name":75},{"id":119,"name":120,"tactic":121},"D3-NTPM","Network Traffic Policy Mapping",{"name":75},{"id":123,"name":124,"tactic":125},"D3-AM","Access Modeling",{"name":75},{"id":127,"name":128,"tactic":129},"D3-FA","File Analysis",{"name":39},{"id":131,"name":132,"tactic":133},"D3-FIM","File Integrity Monitoring",{"name":39},{"id":135,"name":136,"tactic":137},"D3-PLA","Process Lineage Analysis",{"name":39},{"id":139,"name":140,"tactic":141},"D3-PSMD","Process Self-Modification Detection",{"name":39},{"id":143,"name":144,"tactic":145},"D3-PSA","Process Spawn Analysis",{"name":39},{"id":147,"name":148,"tactic":149},"D3-SFA","System File Analysis",{"name":39},{"id":151,"name":152,"tactic":153},"D3-FEV","File Eviction",{"name":154},"Evict",{"id":156,"name":157,"tactic":158},"D3-PT","Process Termination",{"name":154},{"id":160,"name":161,"tactic":162},"D3-PS","Process Suspension",{"name":154},{"id":164,"name":165,"tactic":166},"D3-HR","Host Reboot",{"name":154},{"id":168,"name":169,"tactic":170},"D3-HS","Host Shutdown",{"name":154},{"id":172,"name":173,"tactic":174},"D3-DF","Decoy File",{"name":175},"Deceive",{"id":177,"name":178,"tactic":179},"D3-FE","File Encryption",{"name":52},{"id":181,"name":182,"tactic":183},"D3-RF","Restore File",{"name":100},{"id":185,"name":186,"tactic":187},"D3-RC","Restore Configuration",{"name":100},{"id":189,"name":190,"tactic":191},"D3-CF","Content Filtering",{"name":192},"Isolate",{"id":194,"name":195,"tactic":196},"D3-LFP","Local File Permissions",{"name":192},{"id":198,"name":199,"tactic":200},"D3-RFAM","Remote File Access Mediation",{"name":192},{"id":202,"name":203,"tactic":204},"D3-CQ","Content Quarantine",{"name":192},{"id":206,"name":207,"tactic":208},"D3-CM","Content Modification",{"name":192},{"id":210,"name":211,"tactic":212},"D3-KBPI","Kernel-based Process Isolation",{"name":192},{"id":214,"name":215,"tactic":216},"D3-SCF","System Call Filtering",{"name":192},{"id":218,"name":219,"tactic":220},"D3-HBPI","Hardware-based Process Isolation",{"name":192},{"id":222,"name":223,"tactic":224},"D3-ABPI","Application-based Process Isolation",{"name":192},{"id":226,"name":227,"tactic":228},"D3-WSAM","Web Session Access Mediation",{"name":192},[],[],[],[],[],[],"2026-05-20T18:59:17.819Z","PUBLISHED",{"cisa_kev":238,"cisa_ransomware":238,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":239,"severity_score":240,"severity_version":241,"severity_source":242,"severity_vector":243,"severity_status":236},false,"critical",9.3,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[245,250,255],{"url":246,"sources":247,"tags":248},"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r",[242],[249],"X Refsource CONFIRM",{"url":251,"sources":252,"tags":253},"https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f",[242],[254],"X Refsource MISC",{"url":256,"sources":257,"tags":258},"https://jira.xwiki.org/browse/XWIKI-23953",[242],[254],[],[],[262],{"source":242,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":263},{"baseScore":240,"baseSeverity":264,"vectorString":243,"impactScore":9,"exploitabilityScore":9},"CRITICAL",[266],{"ecosystem":9,"name":267,"vendor":268,"product":267,"cpe_part":269,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":270},"xwiki-platform","xwiki","a",[271,276,281,285],{"version":272,"is_range":273,"range_type":242,"version_start":9,"version_start_type":9,"version_end":274,"version_end_type":275,"fixed_in":9},"\u003C 16.10.17",true,"16.10.17","excluding",{"version":277,"is_range":273,"range_type":242,"version_start":278,"version_start_type":279,"version_end":280,"version_end_type":275,"fixed_in":9},">= 17.0.0-rc-1, \u003C 17.4.9","17.0.0-rc-1","including","17.4.9",{"version":282,"is_range":273,"range_type":242,"version_start":283,"version_start_type":279,"version_end":284,"version_end_type":275,"fixed_in":9},">= 17.5.0, \u003C 17.10.3","17.5.0","17.10.3",{"version":286,"is_range":273,"range_type":242,"version_start":287,"version_start_type":279,"version_end":288,"version_end_type":275,"fixed_in":9},">= 18.0.0-rc-1, \u003C 18.1.0-rc-1","18.0.0-rc-1","18.1.0-rc-1"]