Remote Code Execution Vulnerability in XWiki Remote Macros by XWiki
CVE-2025-55728

10CRITICAL

Key Information:

Vendor

Xwikisas

Status
Xwiki-pro-macros
Vendor
CVE Published:
9 September 2025

What is CVE-2025-55728?

XWiki Remote Macros contains a vulnerability that allows an unauthenticated user to execute arbitrary code. This is due to the absence of escaping the classes parameter in the panel macro. When a user edits a page, they can exploit this oversight by injecting malicious XWiki syntax, leading to remote code execution. The vulnerability affects versions 1.0 through 1.26.4. A patch addressing this issue is available in version 1.26.5.

Affected Version(s)

xwiki-pro-macros >= 1.0, < 1.26.5

References

https://github.com/xwikisas/xwiki-pro-macros/security/adv...
x_refsource_CONFIRM
https://github.com/xwikisas/xwiki-pro-macros/commit/3ca81...
x_refsource_MISC
https://github.com/xwikisas/xwiki-pro-macros/blob/93ac1a3...
x_refsource_MISC

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.