Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-33137 is a low severity vulnerability with a CVSS score of 0.0. Exploits are available; patches have been released and should be applied urgently.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
POST /wikis/{wikiName} executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki
This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
XWiki is not aware of any workarounds other than adding a rule into an HTTP proxy to prevent access POST request in the /wikis/{wikiName}[/] endpoint.
If there are any questions or comments about this advisory:
Reported by Sho Odagiri (GMO Cybersecurity by Ierae, Inc.).
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.