SQL Injection Vulnerability in XWiki Affects Multiple Versions
CVE-2025-32968

8.6HIGH

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 23 April 2025

Summary

XWiki, a versatile wiki platform, is exposed to a SQL injection vulnerability that allows users with SCRIPT rights to escape the HQL execution context. This flaw is present in multiple versions prior to 15.10.16, 16.4.6, and 16.10.1. Exploitation may enable malicious actors to execute arbitrary SQL statements on the backend database, potentially exposing sensitive data like password hashes and allowing unauthorized modifications via UPDATE, INSERT, or DELETE queries. Immediate upgrade to the patched versions is essential as no workarounds exist for this issue. Additionally, the enhancements made to the REST API's protection mechanisms ensure a more consistent validation process for complex queries.

Affected Version(s)

xwiki-platform >= 1.6-milestone-1, < 15.10.16 < 1.6-milestone-1, 15.10.16

xwiki-platform >= 16.0.0-rc-1, < 16.4.6 < 16.0.0-rc-1, 16.4.6

xwiki-platform >= 16.5.0-rc-1, < 16.10.1 < 16.5.0-rc-1, 16.10.1

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://jira.xwiki.org/browse/XWIKI-22718

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 23, 2025
Vulnerability Reserved
Apr 14, 2025