XWiki Vulnerability Allows Unauthorized Script Execution Due to Link Mismanagement
CVE-2025-49580

8.5HIGH

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 13 June 2025

What is CVE-2025-49580?

A vulnerability has been identified in XWiki where a page can gain script or programming rights when the target of a link is renamed or moved. This allows for the potential execution of scripts that should not have been authorized in the first place. Versions from 8.2 and 7.4.5 up to 17.1.0-rc-1, 16.10.4, and 16.4.7 are at risk. The issue has been resolved in later releases, ensuring better security against unauthorized script execution. For further details, you can refer to the security advisories and commit documentation that outline the specific changes made.

Affected Version(s)

xwiki-platform >= 17.0.0-rc-1, < 17.1.0-rc-1 < 17.0.0-rc-1, 17.1.0-rc-1

xwiki-platform >= 16.5.0-rc-1, < 16.10.4 < 16.5.0-rc-1, 16.10.4

xwiki-platform >= 8.2, < 16.4.7 < 8.2, 16.4.7

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/ab209acd78...

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-22836

x_refsource_MISC

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2025
Vulnerability Reserved
Jun 6, 2025

Xwiki

What is CVE-2025-49580?

Affected Version(s)

References

CVSS V4

Timeline