Server-Side Template Injection in XWiki Administration Interface
CVE-2025-51991

8.8HIGH

Key Information:

Vendor: XWiki
Status: XWiki
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-51991?

XWiki versions up to 17.3.0 are susceptible to a Server-Side Template Injection vulnerability within the Administration interface. This flaw occurs in the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can exploit this weakness by injecting malicious Apache Velocity template code, which is subsequently processed by the server without adequate validation or sandboxing measures. Such exploitation can lead to the execution of arbitrary template logic, potentially revealing sensitive internal server data or enabling further attacks, including remote code execution or data leakage. The core issue lies in the inadequate handling of dynamic template rendering based on user input in configuration fields.

References

https://xwiki.org

https://github.com/malcxlmj/cve-writeups/blob/main/CVE-20...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Jun 16, 2025