XWiki Rendering Vulnerability in XWiki Software
CVE-2025-53835

9.1CRITICAL

Key Information:

Vendor: Xwiki
Status: Xwiki-rendering
Vendor: CVE Published:; 14 July 2025

What is CVE-2025-53835?

XWiki Rendering features a vulnerability that allows Cross-Site Scripting (XSS) attacks due to the improper handling of XHTML syntax. Versions 5.4.5 up to 14.9 allow users with document edit permissions, like their user profile, to insert unvalidated HTML content, including JavaScript, potentially compromising the web application’s security. This issue arises from the dependency on the 'xdom+xml/current' syntax, which has been eliminated in version 14.10. Users are strongly advised to upgrade to this version for enhanced security. The 'xdom+xml' syntax remains vulnerable and should not be utilized in standard wiki deployments.

Affected Version(s)

xwiki-rendering >= 5.4.5, < 14.10

References

https://github.com/xwiki/xwiki-rendering/security/advisor...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99...

x_refsource_MISC

https://jira.xwiki.org/browse/XRENDERING-660

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 14, 2025

Xwiki

What is CVE-2025-53835?

Affected Version(s)

References

CVSS V3.1

Timeline