CVSS: 9.9EPSS: 1%CPEs: 3EXPL: 0CVE-2025-53836 – XWiki Rendering is vulnerable to RCE attacks when processing nested macros
https://notcve.org/view.php?id=CVE-2025-53836
14 Jul 2025 — XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that a... • https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53835 – XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax
https://notcve.org/view.php?id=CVE-2025-53835
14 Jul 2025 — XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version... • https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.9EPSS: 9%CPEs: 2EXPL: 1CVE-2023-37912 – XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro
https://notcve.org/view.php?id=CVE-2023-37912
25 Oct 2023 — XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of `org.xwiki.platform:xwiki-core-rendering-macro-footnotes` and `org.xwiki.platform:xwiki-rendering-macro-footnotes` and prior to version 15.1-rc-1 of `org.xwiki.platform:xwiki-rendering-macro-footnotes`, the footnote macro executed its content in a potentially different context than the one in which it was defined. In particular in combination with the include macro, th... • https://github.com/xwiki/xwiki-rendering/commit/5f558b8fac8b716d19999225f38cb8ed0814116e • CWE-270: Privilege Context Switching Error •