XWiki Platform Vulnerability in Custom Display Code and Property Scripts
CVE-2025-49585

8.6HIGH

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 13 June 2025

What is CVE-2025-49585?

The XWiki Platform is vulnerable due to a flaw that permits the execution of arbitrary code by attackers without script or programming rights. This occurs when such an attacker creates an XClass definition that later enables a victim user, who possesses editing rights and could potentially have admin privileges, to execute malicious code upon editing the document. This vulnerability specifically impacts custom display code and scripts tied to computed properties, posing a significant threat if exploited. Although warnings were added in XWiki version 15.9 to alert users about dangerous properties, prior versions lacked these precautions. The issue was addressed in XWiki versions 15.10.16, 16.4.7, and 16.10.2, which introduced improved checks for XClass properties.

Affected Version(s)

xwiki-platform < 15.10.16 < 15.10.16

xwiki-platform >= 16.0.0-rc-1, < 16.4.7 < 16.0.0-rc-1, 16.4.7

xwiki-platform >= 16.5.0-rc-1, < 16.10.2 < 16.5.0-rc-1, 16.10.2

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/385bde985c...

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-22476

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2025
Vulnerability Reserved
Jun 6, 2025

Xwiki

What is CVE-2025-49585?

Affected Version(s)

References

CVSS V4

Timeline