CVE-2022-36098

Name: CVE-2022-36098
Creator: NVD / NIST
Published: 2022-09-08T21:15:08.097+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9/10EPSS 71.04%

Last modified Jun 17, 2026

CVE-2022-36098 is a critical-severity vulnerability rated 9/10 on the CVSS scale. XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. EPSS estimates a 71.04% chance of exploitation in the next 30 days.

Description

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update `XWiki.Mentions.MentionsMacro` and edit the `Macro code` field of the `XWiki.WikiMacroClass` XObject.

Metrics

CVSS 3.1

9/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Probability

71.04%

99.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Xwiki	Xwiki	>= 12.5, < 13.10.6
Xwiki	Xwiki	>= 14.0, < 14.4

References

https://github.com/xwiki/xwiki-platform/commit/4032dc896857597efd169966dc9e2752a9fdd459#diff-4fe22885f772e47d3561a05348f73921669ec12d4413b220383b73c7ae484bc4R608-R610Patch, Third Party Advisory
https://github.com/xwiki/xwiki-platform/commit/4f290d87a8355e967378a1ed6aee23a06ba162ebPatch, Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5v8-2q4r-5w9vExploit, Patch, Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19752Exploit, Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/4032dc896857597efd169966dc9e2752a9fdd459#diff-4fe22885f772e47d3561a05348f73921669ec12d4413b220383b73c7ae484bc4R608-R610Patch, Third Party Advisory
https://github.com/xwiki/xwiki-platform/commit/4f290d87a8355e967378a1ed6aee23a06ba162ebPatch, Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5v8-2q4r-5w9vExploit, Patch, Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19752Exploit, Vendor Advisory

Timeline

Published: Sep 8, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-36098?

How severe is CVE-2022-36098?

CVE-2022-36098 has a CVSS score of 9/10 (CRITICAL severity). The EPSS model estimates a 71.04% probability of exploitation in the next 30 days.

How do I fix CVE-2022-36098?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-36098?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST