CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32783 – XWiki allows unregistered users to see "public" messages from a closed wiki via notifications from a different wiki
https://notcve.org/view.php?id=CVE-2025-32783
16 Apr 2025 — XWiki Platform is a generic wiki platform. A vulnerability in versions from 5.0 to 16.7.1 affects users with Message Stream enabled and a wiki configured as closed from selecting "Prevent unregistered users to view pages" in the Administrations Rights. The vulnerability is that any message sent in a subwiki to "everyone" is actually sent to the farm: any visitor of the main wiki will be able to see that message through the Dashboard, even if the subwiki is configured to be private. This issue will not be pa... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-42fh-pvvh-999x • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29926 – The WikiManager REST API allows any user to create wikis
https://notcve.org/view.php?id=CVE-2025-29926
19 Mar 2025 — XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module. • https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99 • CWE-285: Improper Authorization •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29925 – XWiki allows unregistered users to access private pages information through REST endpoint
https://notcve.org/view.php?id=CVE-2025-29925
19 Mar 2025 — XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpo... • https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29924 – XWiki uses the wrong wiki reference in AuthorizationManager
https://notcve.org/view.php?id=CVE-2025-29924
19 Mar 2025 — XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by ... • https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 83%CPEs: 2EXPL: 3CVE-2025-24893 – Remote code execution as guest via SolrSearchMacros request in xwiki
https://notcve.org/view.php?id=CVE-2025-24893
20 Feb 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `
CVSS: 9.0EPSS: 1%CPEs: 3EXPL: 0CVE-2025-23025 – Privilege escalation (PR) through realtime WYSIWYG editing in XWiki
https://notcve.org/view.php?id=CVE-2025-23025
14 Jan 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights... • https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 18%CPEs: 2EXPL: 0CVE-2024-55879 – XWiki allows RCE from script right in configurable sections
https://notcve.org/view.php?id=CVE-2024-55879
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading. • https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 32%CPEs: 3EXPL: 0CVE-2024-55877 – XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList
https://notcve.org/view.php?id=CVE-2024-55877
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a ... • https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-55876 – XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
https://notcve.org/view.php?id=CVE-2024-55876
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. • https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331 • CWE-862: Missing Authorization •
CVSS: 8.6EPSS: 1%CPEs: 2EXPL: 0CVE-2024-55663 – XWiki Platform has an SQL injection in getdocuments.vm with sort parameter
https://notcve.org/view.php?id=CVE-2024-55663
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 11.10.6 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This has been patched in 13.10.5 an... • https://github.com/xwiki/xwiki-platform/commit/673076e2e8b88a36cdeaf7007843aa9ca1a068a0 • CWE-116: Improper Encoding or Escaping of Output •