XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
{
"cwe_ids": [
"CWE-284"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55749.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "16.7.0"
},
{
"fixed": "16.10.11"
},
{
"introduced": "17.0.0"
},
{
"fixed": "17.4.4"
},
{
"introduced": "17.5.0"
},
{
"fixed": "17.7.0"
}
],
"source": "CPE_RANGE"
}{
"cpe": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "16.7.0"
},
{
"fixed": "16.10.11"
},
{
"introduced": "17.0.0"
},
{
"fixed": "17.4.4"
},
{
"introduced": "17.5.0"
},
{
"fixed": "17.7.0"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}