Class based , object oriented programming language. Designed to have less dependencies as possible. The syntex of Java is smilier to C and C++. Commonly used for client-server applications. Java files are compiled by JVM (Java Virtual Machine)

Java

### Impact
A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance.
### Patches
The problem has been patched by properly escaping the URL parameters.
### Workarounds
The [patch](https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c#diff-a5e75a4e3820a63c02a32666dda67c73ee7885ab8e7f67e52cfcb3be5a13326e) can be applied manually to `templates/changesdoc.vm` in the deployed WAR.
### Attribution
XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-39842	CRITICAL	9.9	Java	io.openremote:openremote-manager	No	Yes	Apr 14, 2026
CVE-2026-2332	HIGH	7.4	Java	jetty12	No	Yes	Apr 14, 2026
CVE-2026-40104	MEDIUM	6.9	Java	org.xwiki.platform:xwiki-platform-legacy-oldcore	No	Yes	Apr 14, 2026
CVE-2026-40105	MEDIUM	6.5	Java	org.xwiki.platform:xwiki-platform-web-templates	No	Yes	Apr 14, 2026
CVE-2026-33929	MEDIUM	4.3	Java	org.apache.pdfbox:pdfbox-examples	No	Yes	Apr 14, 2026

CVE-2026-40105:
Java vulnerability analysis and mitigation

Impact

Patches

Workarounds

Attribution

6.5

Related Java vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

CVE-2026-40105: Java vulnerability analysis and mitigation