Product
An attacker can exploit CVE-2026-34151, a path traversal vulnerability in XWiki Platform Old Core through the `/skin/` action endpoint when hosted on Jetty 12+. This allows unauthenticated users to craft URLs to access and download arbitrary files on the server, such as `/etc/passwd` or sensitive XWiki configuration files (e.g., `xwiki.cfg`), potentially leading to information disclosure and further system compromise.