CVE-2025-32429

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-32429
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32429.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32429
Aliases
Published
2025-07-24T22:22:35.102Z
Modified
2026-04-10T05:25:10.922730Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32429.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
5e66d5ffffeedaa28a731c304a173e2f5a35a60d
Fixed
0708ca6ba734c6d79984d887b9afa11d7255d1a0
Database specific 
{
    "versions": [
        {
            "introduced": "9.4-rc-1"
        },
        {
            "fixed": "16.10.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
445c0831fb8cf5610eda0eb58225890cb2bece6c
Fixed
009c61e5ba0be6a1197fb082414f878418574d54
Database specific 
{
    "versions": [
        {
            "introduced": "17.0.0-rc-1"
        },
        {
            "fixed": "17.3.0-rc-1"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32429.json"