CVE-2025-29926
- Source
- https://cve.org/CVERecord?id=CVE-2025-29926
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-29926.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-29926
- Aliases
- Published
- 2025-03-19T17:40:44.937Z
- Modified
- 2026-04-10T05:24:37.494401Z
- Severity
-
- 7.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- The WikiManager REST API allows any user to create wikis
- Details
-
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/29xxx/CVE-2025-29926.json", "cwe_ids": [ "CWE-285" ] }- References
-
- https://jira.xwiki.org/browse/XWIKI-22490
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/29xxx/CVE-2025-29926.json
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43
- https://nvd.nist.gov/vuln/detail/CVE-2025-29926
- https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99
Affected packages
Git / github.com/xwiki/xwiki-platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
- Database specific
{ "versions": [ { "introduced": "5.4-rc-1" }, { "fixed": "15.10.15" } ] }