CVE-2025-49581

Description

XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value.

CVSS v3.1 Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-94 CWE-94

CWE-250 CWE-250

CWE-270 CWE-270

Affected Products

Vendor	Product	Versions
xwiki	xwiki	11.10.11 — 12.0
xwiki	xwiki	12.6.3 — 12.7
xwiki	xwiki	12.8 — 16.4.7
xwiki	xwiki	16.5.0 — 16.10.3
xwiki	xwiki	All

References

Advisories & Patches

https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9875-cw22-f7cx https://jira.xwiki.org/browse/XWIKI-22760

Exploits

https://jira.xwiki.org/browse/XWIKI-22760

Frequently Asked Questions

What is CVE-2025-49581? +

XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value. It has a CVSS v3.1 base score of 8.8 (HIGH).

How severe is CVE-2025-49581? +

CVE-2025-49581 has a CVSS v3.1 score of 8.8 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2025-49581? +

CVE-2025-49581 affects products from xwiki, specifically: xwiki. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-49581? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-22136

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.217 , Tabby enables several high-risk Electron Fuses, including …

CVE-2025-24482

A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default …

CVE-2026-41486

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types …

CVE-2025-24959

zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment …

CVE-2021-41527

An error related to the 2-factor authorization (2FA) on the RISC Platform prior to the saas-2021-12-29 release can potentially be …

CVE-2024-45480

An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow …