Stored Cross-Site Scripting Vulnerability in XWiki Blog Application
CVE-2025-66024

8.6HIGH

Key Information:

Vendor

Xwiki-contrib

Status
Application-blog-ui
Vendor
CVE Published:
4 March 2026

What is CVE-2025-66024?

The XWiki Blog Application has a vulnerability allowing attackers to execute malicious JavaScript in users' browsers. This occurs when blog post titles are injected into the HTML tag without proper sanitization. Users with permissions to create or edit blog posts can exploit this flaw to inject harmful scripts. Consequently, this could enable session hijacking or privilege escalation for anyone viewing the affected blog post. Users are encouraged to update to version 9.15.7 or later, where this issue has been resolved by implementing necessary escaping to secure the title field.

Affected Version(s)

application-blog-ui < 9.15.7

References

https://github.com/xwiki-contrib/application-blog/securit...
x_refsource_CONFIRM
https://github.com/xwiki-contrib/application-blog/commit/...
x_refsource_MISC
https://jira.xwiki.org/browse/BLOG-245
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.