Arbitrary Code Execution Vulnerability in XWiki by XWiki SAS
CVE-2025-49581

8.7HIGH

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 13 June 2025

What is CVE-2025-49581?

A vulnerability in XWiki allows users with edit rights to execute arbitrary code through specially crafted wiki macros. When a wiki macro is designed to accept parameters that permit wiki syntax, it may execute with the permissions of the document's author if default values are used. This means that an attacker can manipulate a macro, like the children macro, to execute unauthorized scripts, granting them full access to the XWiki installation. XWiki has addressed this issue in versions 16.4.7, 16.10.3, and 17.0.0 by reconfiguring the execution parameters to operate under the macro's author's rights when default values are applied.

Affected Version(s)

xwiki-platform >= 11.10.11, < 12.0 < 11.10.11, 12.0

xwiki-platform >= 12.6.3, < 12.7 < 12.6.3, 12.7

xwiki-platform >= 12.8-rc-1, < 16.4.7 < 12.8-rc-1, 16.4.7

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/c99d501ed4...

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-22760

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2025
Vulnerability Reserved
Jun 6, 2025

Xwiki

What is CVE-2025-49581?

Affected Version(s)

References

CVSS V4

Timeline