CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-54385 – XWiki Platform's searchDocuments API allows for SQL injection
https://notcve.org/view.php?id=CVE-2025-54385
26 Jul 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in ot... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2025-32429 – XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
https://notcve.org/view.php?id=CVE-2025-32429
24 Jul 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1. • https://github.com/byteReaper77/CVE-2025-32429 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49586 – XWiki allows remote code execution through preview of XClass changes in AWM editor
https://notcve.org/view.php?id=CVE-2025-49586
13 Jun 2025 — XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7 • CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49585 – XWiki does not require right warnings for XClass definitions
https://notcve.org/view.php?id=CVE-2025-49585
13 Jun 2025 — XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and que... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h • CWE-357: Insufficient UI Warning of Dangerous Operations •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49584 – XWiki makes title of inaccessible pages available through the class property values REST API
https://notcve.org/view.php?id=CVE-2025-49584
13 Jun 2025 — XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XC... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49583 – XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right
https://notcve.org/view.php?id=CVE-2025-49583
13 Jun 2025 — XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing l... • https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92 • CWE-270: Privilege Context Switching Error CWE-357: Insufficient UI Warning of Dangerous Operations •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-49581 – XWiki allows remote code execution through default value of wiki macro wiki-type parameters
https://notcve.org/view.php?id=CVE-2025-49581
13 Jun 2025 — XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that ha... • https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-250: Execution with Unnecessary Privileges CWE-270: Privilege Context Switching Error •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-49580 – XWiki allows privilege escalation through link refactoring
https://notcve.org/view.php?id=CVE-2025-49580
13 Jun 2025 — XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7. • https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec • CWE-266: Incorrect Privilege Assignment •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56158 – XWiki allows SQL injection in query endpoint of REST API with Oracle
https://notcve.org/view.php?id=CVE-2024-56158
12 Jun 2025 — XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-prwh-7838-xf82 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-46554 – XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
https://notcve.org/view.php?id=CVE-2025-46554
30 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, ... • https://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae608 • CWE-862: Missing Authorization •