JavaScript Injection Vulnerability in Apache JSPWiki
CVE-2025-24853

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Jspwiki
Vendor: CVE Published:; 31 July 2025

What is CVE-2025-24853?

A vulnerability in Apache JSPWiki allows attackers to execute malicious JavaScript code in users' browsers by crafting specific requests through the wiki markup syntax. This can lead to unintentional information disclosure about the affected users. Additionally, the vulnerability is not limited to the wiki markup but is also present in the markdown parser. Users of Apache JSPWiki are strongly advised to upgrade to version 2.12.3 or higher to protect against these potential exploits.

Affected Version(s)

Apache JSPWiki 0 <= 2.12.2

References

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 31, 2025
Vulnerability Reserved
Jan 25, 2025

Credit

The issue was discovered by XBOW (https://github.com/xbow-security, https://xbow.com)