XWiki Open-Source Wiki Software Vulnerability - XSS Risk from Notification Displayer Class
CVE-2025-49587
What is CVE-2025-49587?
In XWiki, an open-source wiki software platform, a vulnerability exists that could allow cross-site scripting (XSS) attacks. The issue arises when a user lacking script rights creates a document containing an XWiki.Notifications.Code.NotificationDisplayerClass object. If an admin subsequently edits and saves this document, the potentially harmful content is rendered as raw HTML. This flaw particularly affects earlier versions of XWiki, as the proper warnings for editing documents with risky properties were introduced only in version 15.9. Subsequently, XWiki has addressed this vulnerability in versions 15.10.16, 16.4.7, and 16.10.2 by implementing a rights analyzer that alerts admins before they proceed with editing possibly malicious code.
Affected Version(s)
xwiki-platform >= 15.9-rc-1, < 15.10.16 < 15.9-rc-1, 15.10.16
xwiki-platform >= 16.0.0-rc-1, < 16.4.7 < 16.0.0-rc-1, 16.4.7
xwiki-platform >= 16.5.0-rc-1, < 16.10.2 < 16.5.0-rc-1, 16.10.2