CVSS: 5.8EPSS: %CPEs: 3EXPL: 0CVE-2025-58049 – XWiki PDF export jobs store sensitive cookies unencrypted in job statuses
https://notcve.org/view.php?id=CVE-2025-58049
28 Aug 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer CWE-257: Storing Passwords in a Recoverable Format •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-54125 – XWiki Platform: Password and email exposure in xml.vm fields
https://notcve.org/view.php?id=CVE-2025-54125
05 Aug 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7... • https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-54124 – XWiki Platform: Any user with editing rights can access password properties through Database List Properties
https://notcve.org/view.php?id=CVE-2025-54124
05 Aug 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, thi... • https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 3%CPEs: 3EXPL: 0CVE-2025-32430 – XWiki Platform contains Reflected XSS vulnerability in two templates
https://notcve.org/view.php?id=CVE-2025-32430
05 Aug 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. Th... • https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-54385 – XWiki Platform's searchDocuments API allows for SQL injection
https://notcve.org/view.php?id=CVE-2025-54385
26 Jul 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in ot... • https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 3CVE-2025-32429 – XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
https://notcve.org/view.php?id=CVE-2025-32429
24 Jul 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1. La plataforma XWiki es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones desarrolladas sobre ella. • https://packetstorm.news/files/id/207536 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49586 – XWiki allows remote code execution through preview of XClass changes in AWM editor
https://notcve.org/view.php?id=CVE-2025-49586
13 Jun 2025 — XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7 • CWE-863: Incorrect Authorization •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49584 – XWiki makes title of inaccessible pages available through the class property values REST API
https://notcve.org/view.php?id=CVE-2025-49584
13 Jun 2025 — XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XC... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49582 – XWiki's required right warnings for macros are incomplete
https://notcve.org/view.php?id=CVE-2025-49582
13 Jun 2025 — XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles ... • https://github.com/xwiki/xwiki-platform/commit/0a705e8e253cb871b804e25c53b2bde879c886bd • CWE-357: Insufficient UI Warning of Dangerous Operations CWE-693: Protection Mechanism Failure •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-49581 – XWiki allows remote code execution through default value of wiki macro wiki-type parameters
https://notcve.org/view.php?id=CVE-2025-49581
13 Jun 2025 — XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that ha... • https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-250: Execution with Unnecessary Privileges CWE-270: Privilege Context Switching Error •