CVE-2025-29926
- Source
- https://cve.org/CVERecord?id=CVE-2025-29926
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-29926.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-29926
- Aliases
- Published
- 2025-03-19T17:40:44.937Z
- Modified
- 2026-03-03T01:23:07.760028Z
- Severity
-
- 7.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- The WikiManager REST API allows any user to create wikis
- Details
-
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
- Database specific
{ "cwe_ids": [ "CWE-285" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/29xxx/CVE-2025-29926.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/29xxx/CVE-2025-29926.json
- https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43
- https://jira.xwiki.org/browse/XWIKI-22490
- https://nvd.nist.gov/vuln/detail/CVE-2025-29926
Affected packages
Git / github.com/xwiki/xwiki-commons
Git / github.com/xwiki/xwiki-platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-29926.json"
vanir_signatures
[
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "145138911333116156932801404572473754183",
"length": 699.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99",
"signature_type": "Function",
"id": "CVE-2025-29926-4647bf0a",
"target": {
"file": "xwiki-platform-core/xwiki-platform-wiki/xwiki-platform-wiki-test/xwiki-platform-wiki-test-docker/src/test/it/org/xwiki/wiki/test/ui/WikiManagerRestIT.java",
"function": "testCreateWiki"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "136977776990741723456840021900476527958",
"length": 1189.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99",
"signature_type": "Function",
"id": "CVE-2025-29926-64028966",
"target": {
"file": "xwiki-platform-core/xwiki-platform-wiki/xwiki-platform-wiki-rest/xwiki-platform-wiki-rest-default/src/main/java/org/xwiki/wiki/rest/internal/DefaultWikiManagerREST.java",
"function": "createWiki"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"194852623539970443049457818056228958556",
"11851513737974760058981775176370363788",
"18274796213803357745065772601220216655",
"297124009344179838133698248164502254622",
"329884255963922103776634491150346956902",
"47187333835725368124455085892250447537",
"309010011354117765339221807264325393930",
"193987928259321446948057653247122197991",
"332079189261295009746431663159878753806"
]
},
"source": "https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99",
"signature_type": "Line",
"id": "CVE-2025-29926-e80cd283",
"target": {
"file": "xwiki-platform-core/xwiki-platform-wiki/xwiki-platform-wiki-test/xwiki-platform-wiki-test-docker/src/test/it/org/xwiki/wiki/test/ui/WikiManagerRestIT.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"264384737997349318195274570942965788420",
"43028479490179673797792835731386470314",
"161975826637125127619329270572392285215",
"167730739172265841742254973954310235525",
"213757039702448234642536641229927316271",
"30522081277996721395358461889153467927",
"71758908859836256347262219309466512957",
"195747461370752776028671107475977911821",
"221650479933645894846841051130081294306",
"289654342592549382479786958877913466166",
"153268607032236178726549757758219667538",
"221986622452641619003816678761031974721",
"20320921208176124173039849323261532663",
"21690074120937329021136470775182028009",
"294569733729838147537027442068504674078",
"176330224432664529524635206478436883220",
"288475193366529303506145919463496300063",
"214048398360616472362698969961783712094",
"298361159490951815602314623942716007108",
"102657676468603031880862257197863717859",
"66134933129111397501282812195616592449",
"52524951659162553705500515617447845244",
"323477948845357092667236071936131984553",
"125553043650161038309239559380660751975",
"210182291698931233130549723069366261728"
]
},
"source": "https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99",
"signature_type": "Line",
"id": "CVE-2025-29926-ee568882",
"target": {
"file": "xwiki-platform-core/xwiki-platform-wiki/xwiki-platform-wiki-rest/xwiki-platform-wiki-rest-default/src/main/java/org/xwiki/wiki/rest/internal/DefaultWikiManagerREST.java"
}
}
]