CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32970 – org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability
https://notcve.org/view.php?id=CVE-2025-32970
30 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0. • https://github.com/xwiki/xwiki-platform/commit/6dab7909f45deb00efd36a0cd47788e95ad64802 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 5%CPEs: 3EXPL: 0CVE-2025-32969 – org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
https://notcve.org/view.php?id=CVE-2025-32969
23 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used... • https://github.com/xwiki/xwiki-platform/commit/5c11a874bd24a581f534d283186e209bbccd8113 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32968 – org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API
https://notcve.org/view.php?id=CVE-2025-32968
23 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has b... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9jj-75mx-wjcx • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32783 – XWiki allows unregistered users to see "public" messages from a closed wiki via notifications from a different wiki
https://notcve.org/view.php?id=CVE-2025-32783
16 Apr 2025 — XWiki Platform is a generic wiki platform. A vulnerability in versions from 5.0 to 16.7.1 affects users with Message Stream enabled and a wiki configured as closed from selecting "Prevent unregistered users to view pages" in the Administrations Rights. The vulnerability is that any message sent in a subwiki to "everyone" is actually sent to the farm: any visitor of the main wiki will be able to see that message through the Dashboard, even if the subwiki is configured to be private. This issue will not be pa... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-42fh-pvvh-999x • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 10.0EPSS: 1%CPEs: 3EXPL: 0CVE-2025-29926 – The WikiManager REST API allows any user to create wikis
https://notcve.org/view.php?id=CVE-2025-29926
19 Mar 2025 — XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module. • https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99 • CWE-285: Improper Authorization •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29925 – XWiki allows unregistered users to access private pages information through REST endpoint
https://notcve.org/view.php?id=CVE-2025-29925
19 Mar 2025 — XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpo... • https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29924 – XWiki uses the wrong wiki reference in AuthorizationManager
https://notcve.org/view.php?id=CVE-2025-29924
19 Mar 2025 — XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by ... • https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 93%CPEs: 2EXPL: 6CVE-2025-24893 – Remote code execution as guest via SolrSearchMacros request in xwiki
https://notcve.org/view.php?id=CVE-2025-24893
20 Feb 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `
CVSS: 9.0EPSS: 3%CPEs: 3EXPL: 0CVE-2025-23025 – Privilege escalation (PR) through realtime WYSIWYG editing in XWiki
https://notcve.org/view.php?id=CVE-2025-23025
14 Jan 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights... • https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 41%CPEs: 2EXPL: 0CVE-2024-55879 – XWiki allows RCE from script right in configurable sections
https://notcve.org/view.php?id=CVE-2024-55879
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading. • https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d • CWE-862: Missing Authorization •