{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/xwiki-platform-old-core--17.10.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["XWiki Platform Old Core (\u003c 17.10.5)","XWiki Platform Old Core (\u003e= 18.0.0-rc-1, \u003c 18.2.0)","Jetty (12+)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-vulnerability","xwiki","jetty","cve","information-disclosure","platform:network"],"_cs_type":"advisory","_cs_vendors":["XWiki","Eclipse Foundation"],"content_html":"\u003cp\u003eCVE-2026-34151 identifies a critical path traversal vulnerability affecting XWiki Platform Old Core versions prior to 17.10.5 and between 18.0.0-rc-1 and 18.2.0, specifically when deployed on Jetty 12+ application servers. This flaw allows unauthenticated attackers to construct specially crafted URLs that, when processed by the vulnerable XWiki instance, can bypass directory restrictions. This enables access to any file on the underlying operating system that the Jetty process has permissions to read, including sensitive system files like \u003ccode\u003e/etc/passwd\u003c/code\u003e or application-specific configuration files such as \u003ccode\u003exwiki.cfg\u003c/code\u003e and Hibernate settings. The vulnerability poses a significant information disclosure risk, as it could expose critical system and application data, potentially leading to further reconnaissance, credential harvesting, or escalation of privileges by a threat actor.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An unauthenticated attacker sends an HTTP GET request to the vulnerable XWiki application's \u003ccode\u003e/xwiki/bin/skin/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Crafting:\u003c/strong\u003e The attacker embeds double URL-encoded path traversal sequences (\u003ccode\u003e..%252f\u003c/code\u003e) within the URL path following the \u003ccode\u003e/skin/\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTargeting Sensitive Files:\u003c/strong\u003e The crafted URL aims to traverse directories to reach sensitive files, such as \u003ccode\u003ehttp://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd\u003c/code\u003e for system files or \u003ccode\u003ehttp://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg\u003c/code\u003e for application configuration files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Processing:\u003c/strong\u003e The XWiki application, running on Jetty 12+, processes the request to the \u003ccode\u003e/skin/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePath Traversal Execution:\u003c/strong\u003e Due to the vulnerability, Jetty 12+ misinterprets the encoded path traversal sequences, allowing the application to access resources outside its intended web application directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFile Retrieval:\u003c/strong\u003e The web server retrieves the content of the targeted file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, \u003ccode\u003exwiki.cfg\u003c/code\u003e) from the file system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Disclosure:\u003c/strong\u003e The server responds to the attacker with the contents of the sensitive file, revealing potentially critical system or application information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e This leads to information disclosure, which can be used for reconnaissance, identifying user accounts, understanding application architecture, or finding credentials for subsequent attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34151 can lead to severe information disclosure. Attackers can access any file on the server that the Jetty instance has read permissions for, including operating system files like \u003ccode\u003e/etc/passwd\u003c/code\u003e, revealing local user accounts and system configuration. More critically, it allows access to sensitive XWiki and Hibernate configuration files (e.g., \u003ccode\u003exwiki.cfg\u003c/code\u003e), which often contain database connection strings, API keys, and other proprietary application settings. This information can be leveraged for further attacks, such as database compromise, privilege escalation, or lateral movement within the network. There are no reported victim counts, but any organization running affected XWiki versions on Jetty 12+ is at risk across all sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-34151:\u003c/strong\u003e Immediately upgrade XWiki Platform Old Core to version 17.10.5 or 18.2.0 or later to remediate CVE-2026-34151.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Detection Rule:\u003c/strong\u003e Deploy the provided Sigma rule \u0026quot;Detects CVE-2026-34151 Exploitation — XWiki Path Traversal\u0026quot; to your SIEM solution to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Webserver Logs:\u003c/strong\u003e Configure web server logging for HTTP requests to capture full URIs and query strings, specifically for unusual access patterns to the \u003ccode\u003e/xwiki/bin/skin/\u003c/code\u003e endpoint containing \u003ccode\u003e..%252f\u003c/code\u003e or similar encoded path traversal sequences.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Workarounds (if patching is not immediate):\u003c/strong\u003e As a temporary measure, consider migrating XWiki to an application server other than Jetty 12+, such as Tomcat or an older version of Jetty (\u0026lt; 12), as these are not impacted by this specific vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T13:15:17Z","date_published":"2026-07-07T13:15:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-xwiki-path-traversal/","summary":"An attacker can exploit CVE-2026-34151, a path traversal vulnerability in XWiki Platform Old Core through the `/skin/` action endpoint when hosted on Jetty 12+. This allows unauthenticated users to craft URLs to access and download arbitrary files on the server, such as `/etc/passwd` or sensitive XWiki configuration files (e.g., `xwiki.cfg`), potentially leading to information disclosure and further system compromise.","title":"XWiki Platform Old Core Path Traversal via /skin/ Endpoint (CVE-2026-34151)","url":"https://feed.craftedsignal.io/briefs/2026-07-xwiki-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - XWiki Platform Old Core (\u003c 17.10.5)","version":"https://jsonfeed.org/version/1.1"}