Security vulnerabilities in Wiki.js

[012git012]

Hello @NGPixel,

Our team would like to inform you that security vulnerabilities were discovered in Wiki.js. We submitted a report to you on June 11 (https://github.com/requarks/wiki/security/advisories/new), but it's almost 2 months with no response.

We also created an issue (#7698), but we haven't received any feedback here either.

Please be informed that our team plans to release a technical research, which will include details of the discovered vulnerabilities.

Please note, according to our policy, we reserve the right to publicly disclose our findings, if we do not receive a response from you within 90 days.
Planned disclosure date: September, 9 2025.

We kindly ask you to review our request and get back to us as soon as possible.

Look forward to hearing from you.

[NGPixel]

Sorry for the late reply. The 3 vulnerabilities you submitted are known limitations and will be addressed in full in 3.x. The manage:users and manage:groups are considered administrator roles and as such, the attack vector is extremely low.

In the meantime, the role description could be changed to clarify these limitations.

[012git012]

@NGPixel
Please provide us with the timeline for fixing the vulnerabilities. This will help us keep our processes aligned.

Thank you in advance!

[NGPixel]

No ETA for 3.x.

[012git012]

Hello @NGPixel
Since it has been almost 9 months since we reported the vulnerabilities, could you please provide an update on whether you now have an estimated timeline for the 3.x release that will address these issues? Thank you in advance.

[NGPixel]

There's a patch in the work to address this specific issue, expected in the coming week.

[uamcloudadrian]

thanks again for all the work you are doing @NGPixel 🙏