{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/xwiki-platform/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["XWiki Platform"],"_cs_severities":["high"],"_cs_tags":["xwiki","credential-access","password-hash-disclosure","cve-2026-48048"],"_cs_type":"advisory","_cs_vendors":["XWiki"],"content_html":"\u003cp\u003eA vulnerability exists within the XWiki Platform\u0026rsquo;s \u003ccode\u003eLiveTableResults\u003c/code\u003e macro that allows for the reconstruction of password hashes. This issue arises from an insufficient patch to a prior vulnerability (GHSA-5cf8-vrr8-8hjm), where attackers can still discover password hashes one bit at a time by utilizing slightly modified parameters. An attacker can retrieve the full password salt and hash of a user with approximately 768 requests. Patches addressing this vulnerability have been implemented in XWiki versions 18.0.0RC1, 17.10.13, 17.4.9, and 16.10.17. This vulnerability, tracked as CVE-2026-48048, impacts XWiki instances that have not applied the necessary security updates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an XWiki instance running a vulnerable version of the XWiki Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a series of HTTP requests targeting the \u003ccode\u003eLiveTableResults\u003c/code\u003e macro.\u003c/li\u003e\n\u003cli\u003eThese requests are designed to extract password hash bits by exploiting the vulnerability related to password and email property exposure.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully modifies parameters within each request to isolate individual bits of the password hash.\u003c/li\u003e\n\u003cli\u003eBy sending approximately 768 requests, the attacker systematically reconstructs the full password salt and hash.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the reconstructed password hash to attempt authentication or further attacks against the XWiki instance.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other user accounts using the cracked password or the original user\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or performs privileged actions within the XWiki platform.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-48048 allows attackers to reconstruct user password hashes, potentially leading to unauthorized access to sensitive information stored within the XWiki Platform. The number of affected XWiki installations is unknown. Organizations using vulnerable versions of XWiki could experience data breaches, account compromise, and reputational damage if this vulnerability is exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade XWiki to version 18.0.0RC1, 17.10.13, 17.4.9, or 16.10.17 to remediate the vulnerability (reference: Patches section).\u003c/li\u003e\n\u003cli\u003eApply the patch manually to the \u003ccode\u003eXWiki.LiveTableResultsMacros\u003c/code\u003e wiki page if upgrading is not immediately feasible (reference: Workarounds section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect XWiki Password Hash Bit Disclosure\u003c/code\u003e to identify attempts to exploit this vulnerability in web server logs.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for suspicious activity related to the \u003ccode\u003eLiveTableResults\u003c/code\u003e macro and unusual request patterns.\u003c/li\u003e\n\u003cli\u003eMonitor XWiki instances for unauthorized access attempts and privilege escalation activities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T20:23:18Z","date_published":"2026-05-26T20:23:18Z","id":"https://feed.craftedsignal.io/briefs/2026-05-xwiki-password-hash-disclosure/","summary":"A vulnerability in XWiki Platform allows an attacker to reconstruct password hashes using 768 requests through the `LiveTableResults` macro, impacting versions prior to 18.0.0RC1, 17.10.13, 17.4.9, and 16.10.17.","title":"XWiki Platform Livetable Vulnerability Allows Password Hash Reconstruction","url":"https://feed.craftedsignal.io/briefs/2026-05-xwiki-password-hash-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — XWiki Platform","version":"https://jsonfeed.org/version/1.1"}