CVE-2025-49586

XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
VendorProductVersion
xwikixwiki
7.3 ≤
𝑥
< 16.4.7
xwikixwiki
16.5.0 ≤
𝑥
< 16.10.3
xwikixwiki
7.2:milestone2
xwikixwiki
7.2:milestone3
xwikixwiki
17.0.0:rc1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7
https://jira.xwiki.org/browse/XWIKI-22719