XWiki Rendering Vulnerability in XWiki Product
CVE-2025-53836

10CRITICAL

Key Information:

Vendor: Xwiki
Status: Xwiki-rendering
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-53836?

The vulnerability in the XWiki Rendering component allows for unauthorized execution of macros in restricted mode due to a flaw in the default macro content parser. In certain versions of XWiki, this flaw enables executing prohibited macros, notably script macros, potentially leading to script execution vulnerabilities. This risk is particularly concerning when untrusted users are involved, as they could gain access to functionalities that should typically be restricted. Users are advised to disable comment functionality for untrusted users until the system is upgraded to patched versions (13.10.11, 14.4.7, or 14.10) that rectify this issue.

Affected Version(s)

xwiki-rendering >= 4.2-milestone-1, < 13.10.11 < 4.2-milestone-1, 13.10.11

xwiki-rendering >= 14.0, < 14.4.7 < 14.0, 14.4.7

xwiki-rendering >= 14.5, < 14.10 < 14.5, 14.10

References

https://github.com/xwiki/xwiki-rendering/security/advisor...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd...

x_refsource_MISC

https://jira.xwiki.org/browse/XRENDERING-689

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025

Xwiki

What is CVE-2025-53836?

Affected Version(s)

References

CVSS V3.1

Timeline