CVE-2023-26470

Public Exploit
In XWiki Platform, saving a document with a large object number leads to persistent OOM errors

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and make it unusable every time this document is manipulated. This issue has been patched in XWiki 14.0-rc-1.

Categories

5.7
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.20%
Vendor Advisory github.com Vendor Advisory xwiki.org
Affected: xwiki xwiki-platform
Published at:
Updated at:

References

Link Tags
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-92wp-r7hm-42g7 exploit vendor advisory
https://github.com/xwiki/xwiki-platform/commit/04e5a89d2879b160cdfaea846024d3d9c1a525e6 patch
https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164 patch
https://github.com/xwiki/xwiki-platform/commit/fdfce062642b0ac062da5cda033d25482f4600fa patch
https://jira.xwiki.org/browse/XWIKI-19223 issue tracking patch vendor advisory exploit

Frequently Asked Questions

What is the severity of CVE-2023-26470?
CVE-2023-26470 has been scored as a medium severity vulnerability.
How to fix CVE-2023-26470?
To fix CVE-2023-26470, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-26470 being actively exploited in the wild?
It is possible that CVE-2023-26470 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-26470?
CVE-2023-26470 affects xwiki xwiki-platform.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.