Vulnerability Database

308,681

Total vulnerabilities in the database

CVE-2021-29459

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text fields. Registered users can fill in their personal information and (if they have edit rights) fill the values of static lists using App Within Minutes. There is no easy workaround except upgrading XWiki. The vulnerability has been patched on XWiki 12.8 and 12.6.3.

Published: Apr 20, 2021
Updated: Nov 16, 2025
CVE: CVE-2021-29459
GHSA: GHSA-5c66-v29h-xjh8
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
xwiki / xwiki	-	12.6.3
xwiki / xwiki	12.6.4	12.8
org.xwiki.platform / xwiki-platform-oldcore	-	12.6.3
org.xwiki.platform / xwiki-platform-oldcore	12.6.4	12.8
org.xwiki.platform / xwiki-platform-web	-	12.6.3
org.xwiki.platform / xwiki-platform-web	12.6.4	12.8

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5c66-v29h-xjh8

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo