Remote Code Execution Flaw in XWiki Remote Macros by XWiki
CVE-2025-55729

10CRITICAL

Key Information:

Vendor: Xwikisas
Status: Xwiki-pro-macros
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-55729?

The XWiki Remote Macros component has a significant vulnerability due to missing escaping in the ConfluenceLayoutSection macro. This flaw allows any user capable of editing pages to execute arbitrary code via XWiki syntax injection. Consequently, an attacker can exploit this vulnerability to potentially gain unauthorized access or compromise the system. Users are urged to upgrade to version 1.26.5 or later to mitigate this risk.

Affected Version(s)

xwiki-pro-macros >= 1.0, < 1.26.5

References

https://github.com/xwikisas/xwiki-pro-macros/security/adv...

x_refsource_CONFIRM

https://github.com/xwikisas/xwiki-pro-macros/commit/06e6c...

x_refsource_MISC

https://github.com/xwikisas/xwiki-pro-macros/blob/93ac1a3...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Aug 14, 2025

Xwikisas

What is CVE-2025-55729?

Affected Version(s)

References

CVSS V3.1

Timeline