Reflected XSS Vulnerability in XWiki Platform by XWiki
CVE-2025-66472

6.5MEDIUM

Key Information:

Vendor

Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
10 December 2025

What is CVE-2025-66472?

The XWiki Platform is exposed to a reflected XSS vulnerability, whereby an attacker can execute a malicious script via a deletion confirmation message. This occurs when users click the 'No' button after the attacker embeds the script in the message. The vulnerability impacts versions ranging from 6.2-milestone-1 to 16.10.9 and 17.0.0-rc-1 to 17.4.1 of both the Flamingo Skin Resources and Web Templates. Versions 16.10.10 and 17.4.2 have been released to address this issue.

Affected Version(s)

xwiki-platform org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 6.2-milestone-1, < 16.10.10 < org.xwiki.platform:xwiki-platform-flamingo-skin-resources 6.2-milestone-1, 16.10.10

xwiki-platform org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 17.0.0-rc-1, < 17.4.2 < org.xwiki.platform:xwiki-platform-flamingo-skin-resources 17.0.0-rc-1, 17.4.2

xwiki-platform org.xwiki.platform:xwiki-platform-web-templates >= 6.2-milestone-1, < 16.10.10 < org.xwiki.platform:xwiki-platform-web-templates 6.2-milestone-1, 16.10.10

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/cb578b1b29...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-23244
x_refsource_MISC

CVSS V4

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-66472 : Reflected XSS Vulnerability in XWiki Platform by XWiki