Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-32429

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.

Published

2025-07-24T23:15:26.283

Last Modified

2025-09-03T17:43:28.937

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 16.10.6	Yes
Application	xwiki	xwiki	≤ 17.2.2	Yes

References

https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101 Patch ([email protected])
https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3 Patch ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-23093 Issue Tracking, Vendor Advisory ([email protected])