CVE-2024-31982
CVE-2024-31982 is a critical-severity vulnerability in Xwiki with a CVSS 3.x base score of 10.0. Its EPSS exploit-prediction score of 35% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-94.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 35% (98th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-1055
- Weakness: CWE-94
- Affected product: Xwiki
- Published:
- Last modified:
Description
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
Frequently asked questions
- What is CVE-2024-31982?
- XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
- How severe is CVE-2024-31982?
- CVE-2024-31982 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-31982 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 35% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-31982?
- CVE-2024-31982 affects Xwiki. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-31982?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2024-31982 have an EU (EUVD) identifier?
- Yes. CVE-2024-31982 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-1055.
- When was CVE-2024-31982 published?
- CVE-2024-31982 was published on 2024-04-10 and last updated on 2026-06-17.
References
- https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31
- https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8
- https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9
- https://jira.xwiki.org/browse/XWIKI-21472
- https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982
- https://www.vicarius.io/vsociety/posts/cve-2024-31982-detect-xwiki-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2024-31982-xwiki-mitigation-vulnerability
Affected products (1)
- cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
More vulnerabilities in Xwiki
- CVE-2024-31996 — Critical (CVSS 10.0): XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and…
- CVE-2024-21650 — Critical (CVSS 10.0): XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is…
- CVE-2023-46731 — Critical (CVSS 10.0): XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't…
- CVE-2023-26477 — Critical (CVSS 10.0): XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary…
- CVE-2025-53836 — Critical (CVSS 9.9): XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc)…
- CVE-2024-55877 — Critical (CVSS 9.9): XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and…
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.