Home / Vulnerability Intelligence / CVE-2026-40104

CVE-2026-40104 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: April 16, 2026

XWiki Platform - Denial of Service

Published: April 15, 2026Updated: April 16, 2026Remote Exploitable

Overview

XWiki Platform <= 1.8-rc-1, 17.0.0-rc-1, 17.5.0-rc-1 contains a resource exhaustion vulnerability caused by lack of query limits in REST API endpoints listing pages metadata, letting attackers exhaust server resources remotely, exploit requires access to REST API.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers can exhaust server resources causing denial of service on large wikis.

Mitigation

Update to versions 16.10.16, 17.4.8, 17.10.1 or later.

References

https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g
https://jira.xwiki.org/browse/XWIKI-23550

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40104
Severity: High
CVSS Score: 8.2
Type: misconfiguration
Status: new

CWE

CWE-770

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H