CVE-2022-36096

Name: CVE-2022-36096
Creator: NVD / NIST
Published: 2022-09-08T21:15:07.95+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9/10EPSS 59.47%

Last modified Jun 17, 2026

CVE-2022-36096 is a critical-severity vulnerability rated 9/10 on the CVSS scale. The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. EPSS estimates a 59.47% chance of exploitation in the next 30 days.

Description

The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. As a workaround, modify fix the vulnerability by editing the wiki page `XWiki.DeletedAttachments` with the object editor, open the `JavaScriptExtension` object and apply on the content the changes that can be found on the fix commit.

Metrics

CVSS 3.1

9/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Probability

59.47%

99.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Xwiki	Xwiki	>= 2.3, < 13.10.6	—
Xwiki	Xwiki	>= 14.0, < 14.3	—
Xwiki	Xwiki	2.2	Milestone1

References

https://github.com/xwiki/xwiki-platform/commit/6705b0cd0289d1c90ed354bd4ecc1508c4b25745Patch, Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gjmq-x5x7-wc36Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19613Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/6705b0cd0289d1c90ed354bd4ecc1508c4b25745Patch, Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gjmq-x5x7-wc36Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19613Vendor Advisory

Timeline

Published: Sep 8, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-36096?

How severe is CVE-2022-36096?

CVE-2022-36096 has a CVSS score of 9/10 (CRITICAL severity). The EPSS model estimates a 59.47% probability of exploitation in the next 30 days.

How do I fix CVE-2022-36096?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-36096?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST