Remote Code Execution Vulnerability in XWiki Platform by XWiki
CVE-2025-48063

4.8MEDIUM

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 21 May 2025

What is CVE-2025-48063?

A vulnerability in the XWiki platform allows users with edit rights on documents to incorrectly assign programming rights through the enforcement of required rights. This misconfiguration can lead to the execution of malicious code if exploited, effectively undermining the security benefits intended by the restriction on rights assignment. Users with programming rights editing the vulnerable documents may trigger this flaw, permitting unauthorized code execution. To mitigate this risk, users are advised to update to versions 16.10.4 or 17.1.0RC1, as no workarounds are available.

Affected Version(s)

xwiki-platform >= 16.10.0-rc-1, < 16.10.4 < 16.10.0-rc-1, 16.10.4

xwiki-platform >= 17.0.0-rc-1, < 17.1.0-rc-1 < 17.0.0-rc-1, 17.1.0-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/2557813aef...

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-22859

x_refsource_MISC

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2025
Vulnerability Reserved
May 15, 2025

Xwiki

What is CVE-2025-48063?

Affected Version(s)

References

CVSS V4

Timeline