CVE-2025-29926

19.03.2025, 18:15

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GitHub_M	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43

https://jira.xwiki.org/browse/XWIKI-22490