Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-49581

XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value.

Published

2025-06-13T16:15:27.570

Last Modified

2025-09-03T17:51:15.263

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Secondary
CWE-94
CWE-250
CWE-270

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 12.0	Yes
Application	xwiki	xwiki	< 12.7	Yes
Application	xwiki	xwiki	< 16.4.7	Yes
Application	xwiki	xwiki	< 16.10.3	Yes
Application	xwiki	xwiki	17.0.0	Yes

References

https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de Patch ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9875-cw22-f7cx Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-22760 Exploit, Issue Tracking, Vendor Advisory ([email protected])