CVE-2025-49581

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-49581
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49581.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49581
Aliases
Published
2025-06-13T16:09:22.997Z
Modified
2026-04-10T05:28:59.714971Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
XWiki allows remote code execution through default value of wiki macro wiki-type parameters
Details

XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value.

Database specific 
{
    "cwe_ids": [
        "CWE-250",
        "CWE-270",
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49581.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
75ba7238e2776f5e4c02ac169b0b638f49fc73c8
Fixed
06d635e2672df934233b04c097afef29f62587da
Database specific 
{
    "versions": [
        {
            "introduced": "11.10.11"
        },
        {
            "fixed": "12.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
e4053a8b2f2182ddca099099e35b1d30098eaf25
Fixed
51217c93c66345dd99c93605060f30ec8d1c36ee
Database specific 
{
    "versions": [
        {
            "introduced": "12.6.3"
        },
        {
            "fixed": "12.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
593f88841a014b57614f474d69fe04948b124a87
Fixed
f5a9a0762750936523187286919ec4c1892d6fea
Database specific 
{
    "versions": [
        {
            "introduced": "12.8-rc-1"
        },
        {
            "fixed": "16.4.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
ed06c998964cae931ccfe7005a67eeaedaf60e58
Fixed
8cde0f326b60732330378e3ac10c630021e9cad7
Database specific 
{
    "versions": [
        {
            "introduced": "16.5.0-rc-1"
        },
        {
            "fixed": "16.10.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
445c0831fb8cf5610eda0eb58225890cb2bece6c
Fixed
7edb5b7d98170ec081c7e30237971d7dfb8a4401
Database specific 
{
    "versions": [
        {
            "introduced": "17.0.0-rc-1"
        },
        {
            "fixed": "17.0.0"
        }
    ]
}

Affected versions

xwiki-platform-17.*
xwiki-platform-17.0.0-rc-1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49581.json"