CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49586 – XWiki allows remote code execution through preview of XClass changes in AWM editor
https://notcve.org/view.php?id=CVE-2025-49586
13 Jun 2025 — XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7 • CWE-863: Incorrect Authorization •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49584 – XWiki makes title of inaccessible pages available through the class property values REST API
https://notcve.org/view.php?id=CVE-2025-49584
13 Jun 2025 — XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XC... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49582 – XWiki's required right warnings for macros are incomplete
https://notcve.org/view.php?id=CVE-2025-49582
13 Jun 2025 — XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles ... • https://github.com/xwiki/xwiki-platform/commit/0a705e8e253cb871b804e25c53b2bde879c886bd • CWE-357: Insufficient UI Warning of Dangerous Operations CWE-693: Protection Mechanism Failure •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-49581 – XWiki allows remote code execution through default value of wiki macro wiki-type parameters
https://notcve.org/view.php?id=CVE-2025-49581
13 Jun 2025 — XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that ha... • https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-250: Execution with Unnecessary Privileges CWE-270: Privilege Context Switching Error •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-49580 – XWiki allows privilege escalation through link refactoring
https://notcve.org/view.php?id=CVE-2025-49580
13 Jun 2025 — XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7. • https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec • CWE-266: Incorrect Privilege Assignment •
CVSS: 9.0EPSS: 1%CPEs: 2EXPL: 0CVE-2025-48063 – XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right
https://notcve.org/view.php?id=CVE-2025-48063
21 May 2025 — XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means t... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp • CWE-285: Improper Authorization •