CVE-2025-51991

HIGH
Published Aug 20, 2025 Modified Sep 11, 2025 CWE-79 CWE-94

Description

XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.

Is your site exposed to CVE-2025-51991?

Run a free security scan — no signup, results in seconds.

CVSS v3.1 Score

8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-79 Cross-site Scripting (XSS)
CWE-94 CWE-94

Affected Products

Vendor Product
xwiki xwiki

References

Frequently Asked Questions

What is CVE-2025-51991? +
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields. It has a CVSS v3.1 base score of 8.8 (HIGH).
How severe is CVE-2025-51991? +
CVE-2025-51991 has a CVSS v3.1 score of 8.8 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
What products are affected by CVE-2025-51991? +
CVE-2025-51991 affects products from xwiki, specifically: xwiki. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-51991? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-51991 — free, no signup required.