CVE-2025-55730

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-55730
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55730.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-55730
Aliases
  • GHSA-5w8v-h22g-j2mp
Published
2025-09-09T18:53:53.410Z
Modified
2026-04-10T05:26:19.906515Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
XWiki Remote Macros vulnerable to remote code execution using the confluence paste code macro
Details

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55730.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-116"
    ]
}
References

Affected packages

Git / github.com/xwikisas/xwiki-pro-macros

Affected ranges

Type
GIT
Repo
https://github.com/xwikisas/xwiki-pro-macros
Events
Introduced
0f0c8079a4efeef5221b757ff499cd8f60ca5d5f
Fixed
61d5644ce198a52f3e0a89be8161df0d2cb25f5e

Affected versions

xwiki-pro-macros-1.*
xwiki-pro-macros-1.0
xwiki-pro-macros-1.1
xwiki-pro-macros-1.1.1
xwiki-pro-macros-1.10
xwiki-pro-macros-1.10.1
xwiki-pro-macros-1.12
xwiki-pro-macros-1.13
xwiki-pro-macros-1.14.5
xwiki-pro-macros-1.2
xwiki-pro-macros-1.2.1
xwiki-pro-macros-1.2.2
xwiki-pro-macros-1.6
xwiki-pro-macros-1.6.1
xwiki-pro-macros-1.7
xwiki-pro-macros-1.7.1
xwiki-pro-macros-1.8
xwiki-pro-macros-1.8.1
xwiki-pro-macros-1.9.3
xwiki-pro-macros-parent-1.*
xwiki-pro-macros-parent-1.11.0
xwiki-pro-macros-parent-1.14.0
xwiki-pro-macros-parent-1.14.1
xwiki-pro-macros-parent-1.14.2
xwiki-pro-macros-parent-1.14.3
xwiki-pro-macros-parent-1.14.4
xwiki-pro-macros-parent-1.15.0
xwiki-pro-macros-parent-1.15.1
xwiki-pro-macros-parent-1.16.0
xwiki-pro-macros-parent-1.16.1
xwiki-pro-macros-parent-1.16.2
xwiki-pro-macros-parent-1.16.3
xwiki-pro-macros-parent-1.16.4
xwiki-pro-macros-parent-1.16.5
xwiki-pro-macros-parent-1.16.6
xwiki-pro-macros-parent-1.17.0
xwiki-pro-macros-parent-1.17.1
xwiki-pro-macros-parent-1.17.2
xwiki-pro-macros-parent-1.17.3
xwiki-pro-macros-parent-1.18.0
xwiki-pro-macros-parent-1.18.1
xwiki-pro-macros-parent-1.18.2
xwiki-pro-macros-parent-1.18.3
xwiki-pro-macros-parent-1.19.0
xwiki-pro-macros-parent-1.19.1
xwiki-pro-macros-parent-1.19.2
xwiki-pro-macros-parent-1.19.3
xwiki-pro-macros-parent-1.19.4
xwiki-pro-macros-parent-1.19.5
xwiki-pro-macros-parent-1.19.6
xwiki-pro-macros-parent-1.19.7
xwiki-pro-macros-parent-1.19.8
xwiki-pro-macros-parent-1.19.9
xwiki-pro-macros-parent-1.20.0
xwiki-pro-macros-parent-1.21.0
xwiki-pro-macros-parent-1.22.0
xwiki-pro-macros-parent-1.22.1
xwiki-pro-macros-parent-1.22.2
xwiki-pro-macros-parent-1.22.3
xwiki-pro-macros-parent-1.23.0
xwiki-pro-macros-parent-1.23.1
xwiki-pro-macros-parent-1.23.2
xwiki-pro-macros-parent-1.24.0
xwiki-pro-macros-parent-1.25.0
xwiki-pro-macros-parent-1.25.1
xwiki-pro-macros-parent-1.25.2
xwiki-pro-macros-parent-1.25.3
xwiki-pro-macros-parent-1.25.4
xwiki-pro-macros-parent-1.25.5
xwiki-pro-macros-parent-1.26.0
xwiki-pro-macros-parent-1.26.1
xwiki-pro-macros-parent-1.26.2
xwiki-pro-macros-parent-1.26.3
xwiki-pro-macros-parent-1.26.4
xwiki-pro-macros-parent-1.4
xwiki-pro-macros-parent-1.5
xwiki-pro-macros-parent-1.9
xwiki-pro-macros-parent-1.9.1
xwiki-pro-macros-parent-1.9.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55730.json"