CVE-2025-55728

Source
https://cve.org/CVERecord?id=CVE-2025-55728
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55728.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-55728
Aliases
  • GHSA-48f4-h726-74p5
Published
2025-09-09T18:40:51.874Z
Modified
2026-04-10T05:26:19.976783Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
XWiki Remote Macros vulnerable to remote code execution using the panel macro
Details

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue.

Database specific
{
    "cwe_ids": [
        "CWE-95"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55728.json"
}
References

Affected packages

Git / github.com/xwikisas/xwiki-pro-macros

Affected ranges

Type
GIT
Repo
https://github.com/xwikisas/xwiki-pro-macros
Events

Affected versions

xwiki-pro-macros-1.*
xwiki-pro-macros-1.0
xwiki-pro-macros-1.1
xwiki-pro-macros-1.1.1
xwiki-pro-macros-1.10
xwiki-pro-macros-1.10.1
xwiki-pro-macros-1.12
xwiki-pro-macros-1.13
xwiki-pro-macros-1.14.5
xwiki-pro-macros-1.2
xwiki-pro-macros-1.2.1
xwiki-pro-macros-1.2.2
xwiki-pro-macros-1.6
xwiki-pro-macros-1.6.1
xwiki-pro-macros-1.7
xwiki-pro-macros-1.7.1
xwiki-pro-macros-1.8
xwiki-pro-macros-1.8.1
xwiki-pro-macros-1.9.3
xwiki-pro-macros-parent-1.*
xwiki-pro-macros-parent-1.11.0
xwiki-pro-macros-parent-1.14.0
xwiki-pro-macros-parent-1.14.1
xwiki-pro-macros-parent-1.14.2
xwiki-pro-macros-parent-1.14.3
xwiki-pro-macros-parent-1.14.4
xwiki-pro-macros-parent-1.15.0
xwiki-pro-macros-parent-1.15.1
xwiki-pro-macros-parent-1.16.0
xwiki-pro-macros-parent-1.16.1
xwiki-pro-macros-parent-1.16.2
xwiki-pro-macros-parent-1.16.3
xwiki-pro-macros-parent-1.16.4
xwiki-pro-macros-parent-1.16.5
xwiki-pro-macros-parent-1.16.6
xwiki-pro-macros-parent-1.17.0
xwiki-pro-macros-parent-1.17.1
xwiki-pro-macros-parent-1.17.2
xwiki-pro-macros-parent-1.17.3
xwiki-pro-macros-parent-1.18.0
xwiki-pro-macros-parent-1.18.1
xwiki-pro-macros-parent-1.18.2
xwiki-pro-macros-parent-1.18.3
xwiki-pro-macros-parent-1.19.0
xwiki-pro-macros-parent-1.19.1
xwiki-pro-macros-parent-1.19.2
xwiki-pro-macros-parent-1.19.3
xwiki-pro-macros-parent-1.19.4
xwiki-pro-macros-parent-1.19.5
xwiki-pro-macros-parent-1.19.6
xwiki-pro-macros-parent-1.19.7
xwiki-pro-macros-parent-1.19.8
xwiki-pro-macros-parent-1.19.9
xwiki-pro-macros-parent-1.20.0
xwiki-pro-macros-parent-1.21.0
xwiki-pro-macros-parent-1.22.0
xwiki-pro-macros-parent-1.22.1
xwiki-pro-macros-parent-1.22.2
xwiki-pro-macros-parent-1.22.3
xwiki-pro-macros-parent-1.23.0
xwiki-pro-macros-parent-1.23.1
xwiki-pro-macros-parent-1.23.2
xwiki-pro-macros-parent-1.24.0
xwiki-pro-macros-parent-1.25.0
xwiki-pro-macros-parent-1.25.1
xwiki-pro-macros-parent-1.25.2
xwiki-pro-macros-parent-1.25.3
xwiki-pro-macros-parent-1.25.4
xwiki-pro-macros-parent-1.25.5
xwiki-pro-macros-parent-1.26.0
xwiki-pro-macros-parent-1.26.1
xwiki-pro-macros-parent-1.26.2
xwiki-pro-macros-parent-1.26.3
xwiki-pro-macros-parent-1.26.4
xwiki-pro-macros-parent-1.4
xwiki-pro-macros-parent-1.5
xwiki-pro-macros-parent-1.9
xwiki-pro-macros-parent-1.9.1
xwiki-pro-macros-parent-1.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55728.json"