{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40104", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.536Z", "datePublished": "2026-04-15T00:01:58.583Z", "dateUpdated": "2026-04-16T14:08:58.592Z"}, "containers": {"cna": {"title": "XWiki's REST APIs can list all pages/spaces, leading to unavailability", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7"}, {"name": "https://jira.xwiki.org/browse/XWIKI-23550", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-23550"}], "affected": [{"vendor": "xwiki", "product": "org.xwiki.platform:xwiki-platform-oldcore", "versions": [{"version": ">= 1.8-rc-1, < 16.10.16", "status": "affected"}, {"version": ">= 17.0.0-rc-1, < 17.4.8", "status": "affected"}, {"version": ">= 17.5.0-rc-1, < 17.10.1", "status": "affected"}]}, {"vendor": "xwiki", "product": "org.xwiki.platform:xwiki-platform-legacy-oldcore", "versions": [{"version": ">= 1.8-rc-1, < 16.10.16", "status": "affected"}, {"version": ">= 17.0.0-rc-1, < 17.4.8", "status": "affected"}, {"version": ">= 17.5.0-rc-1, < 17.10.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T00:01:58.583Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1."}], "source": {"advisory": "GHSA-mrqg-xmgm-rc5g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T14:08:13.653691Z", "id": "CVE-2026-40104", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:08:58.592Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40104", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.536Z", "datePublished": "2026-04-15T00:01:58.583Z", "dateUpdated": "2026-04-16T14:08:58.592Z"}, "containers": {"cna": {"title": "XWiki's REST APIs can list all pages/spaces, leading to unavailability", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7"}, {"name": "https://jira.xwiki.org/browse/XWIKI-23550", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-23550"}], "affected": [{"vendor": "xwiki", "product": "org.xwiki.platform:xwiki-platform-oldcore", "versions": [{"version": ">= 1.8-rc-1, < 16.10.16", "status": "affected"}, {"version": ">= 17.0.0-rc-1, < 17.4.8", "status": "affected"}, {"version": ">= 17.5.0-rc-1, < 17.10.1", "status": "affected"}]}, {"vendor": "xwiki", "product": "org.xwiki.platform:xwiki-platform-legacy-oldcore", "versions": [{"version": ">= 1.8-rc-1, < 16.10.16", "status": "affected"}, {"version": ">= 17.0.0-rc-1, < 17.4.8", "status": "affected"}, {"version": ">= 17.5.0-rc-1, < 17.10.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T00:01:58.583Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1."}], "source": {"advisory": "GHSA-mrqg-xmgm-rc5g", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40104", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T14:08:13.653691Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:08:50.602Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1."}], "id": "CVE-2026-40104", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T04:17:47.953", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7"}, {"source": "security-advisories@github.com", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g"}, {"source": "security-advisories@github.com", "url": "https://jira.xwiki.org/browse/XWIKI-23550"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.8-rc-1,16.10.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.0.0-rc-1,17.4.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.5.0-rc-1,17.10.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "org.xwiki.platform:xwiki-platform-legacy-oldcore", "source": "cna", "vendor": "xwiki"}, "product": "xwiki-platform-legacy-oldcore", "vendor": "xwiki"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.8-rc-1,16.10.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.0.0-rc-1,17.4.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.5.0-rc-1,17.10.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "org.xwiki.platform:xwiki-platform-oldcore", "source": "cna", "vendor": "xwiki"}, "product": "xwiki-platform-oldcore", "vendor": "xwiki"}], "analysis": {"en": {"generated_at": "2026-04-15T01:20:36.452487+00:00", "value": {"mitigation_remediation": ["Update the XWiki Platform to version 16.10.16, 17.4.8, or 17.10.1 to receive the official fix; this removes the unbounded list generation from the REST API.", "If an upgrade is not immediately possible, restrict network access to the affected REST endpoints (e.g., using firewall rules or HTTP authentication) so that only trusted administrators can perform page enumeration.", "Configure resource limits on the web server or Java application to throttle or deny large requests, mitigating the risk of service exhaustion until a patch can be applied."], "summary": {"action": "Apply Patch", "impact": "Resource Exhaustion leading to Unavailability"}, "threat_synthesis": {"affected_systems": "The vulnerability targets xwiki-platform-legacy-oldcore and xwiki-platform-oldcore products from XWiki. It applies to releases up to and including 1.8-rc-1, 17.0.0-rc-1, and 17.5.0-rc-1. Patching versions 16.10.16, 17.4.8, and 17.10.1 removes the flaw, but older instances are still at risk.", "description_and_impact": "XWiki Platform versions 1.8-rc-1, 17.0.0-rc-1, and 17.5.0-rc-1 and earlier allow REST API endpoints to enumerate every page, space, and object without imposing query limits. The resulting exhaustive list of metadata can consume excessive server CPU, memory, and I/O, eventually causing the service to become unresponsive. The issue\u2019s weakness corresponds to Resource Exhaustion and can compromise availability, which is the primary impact for users of large wikis.", "risk_and_exploitability": "The CVSS score is 6.9, indicating moderate severity. No EPSS score is reported, so exploitation likelihood is unknown, and the vulnerability is not currently recorded in the CISA KEV catalog. The attack vector is inferred to be remote over HTTP by an unauthenticated or authenticated user who can access REST endpoints; an attacker could trigger the exhaustive queries to deplete server resources."}}}}, "created": "2026-04-15T13:49:14.873899+00:00", "updated": "2026-04-15T14:53:35.776954+00:00", "vendors": ["xwiki", "xwiki$PRODUCT$xwiki-platform-legacy-oldcore", "xwiki$PRODUCT$xwiki-platform-oldcore"]}