CVE-2026-48047

MEDIUMPre-NVD 0.0

0.0

XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin

Impact

A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requires that the attacker already has admin access to at least a subwiki to be able to install a malicious extension. Further, the attacker needs to publish a malicious extension in an extension repository that is configured in the instance.

Patches

This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, and 18.0.0RC1.

Workarounds

XWiki is not aware of any workarounds except for being careful whom developers grant script and admin rights to.

Resources

* https://jira.xwiki.org/browse/XWIKI-23902 * https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c

CVSS v3: —
EG Score: 0.0(none)
EPSS: —
KEV: Not listed

Published

May 26, 2026

Last Modified

May 26, 2026

Vendor Advisories for CVE-2026-48047(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-vgwr-23fq-pr7g
GitHub Security AdvisoriesMedium
XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-26 20:14 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-48047?

CVE-2026-48047 is a medium vulnerability published on May 26, 2026. XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin Impact A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be…

When was CVE-2026-48047 disclosed?

CVE-2026-48047 was first published in the National Vulnerability Database on May 26, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

How do I remediate CVE-2026-48047?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48047, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48047

Explore →

Is Your Infrastructure Affected by CVE-2026-48047?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs