← back
CVE-2025-49580

XWiki allows privilege escalation through link refactoring

CVSS 8.5 HIGHEPSS 0.4%CWE-266
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.5EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
13 Jun 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
xwiki · xwiki-platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cechttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6https://jira.xwiki.org/browse/XWIKI-22836