SB2026050580 - Multiple vulnerabilities in XWiki platform
Published: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2025-32968)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL statements and disclose sensitive information.
The vulnerability exists due to missing authorization in the script query API when processing short form select requests. A remote privileged user can send a specially crafted query to execute arbitrary SQL statements and disclose sensitive information.
Exploitation requires SCRIPT right and allows escaping the HQL execution context; depending on the database backend, UPDATE, INSERT, and DELETE queries may also be possible.
2) SQL injection (CVE-ID: CVE-2025-32969)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary SQL statements on the database backend.
The vulnerability exists due to SQL injection in the query endpoint of the REST API when processing user-supplied HQL queries. A remote attacker can send a specially crafted query request to execute arbitrary SQL statements on the database backend.
The issue can be exploited in a default installation, including official Docker deployments, and remains exploitable even when settings preventing unregistered users from viewing or editing pages are enabled.
3) Improper access control (CVE-ID: CVE-2025-48063)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in required rights enforcement in the authorization bridge when setting programming right as a required right on a document. A remote user can modify a document they can edit to set programming right as a required right and execute arbitrary code.
User interaction is required because a user with programming right must edit the document for the document content to gain programming right.
4) SQL injection (CVE-ID: CVE-2024-56158)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary SQL queries.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the query endpoint of the REST API when processing HQL queries on Oracle. A remote attacker can send a specially crafted query using native Oracle functions to execute arbitrary SQL queries.
The issue affects Oracle deployments because Hibernate allows using native functions in an HQL query and the query validator does not sanitize functions used in a simple select.
5) Incorrect Privilege Assignment (CVE-ID: CVE-2025-49580)
CWE-ID: CWE-266 - Incorrect Privilege Assignment
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary script code with elevated privileges.
The vulnerability exists due to incorrect privilege assignment in the link refactoring feature when renaming or moving the target of a link on a page. A remote user can create a page containing a link so that a later refactoring operation causes scripts contained in xobjects to be executed with elevated privileges to execute arbitrary script code with elevated privileges.
User interaction is required, as a user with more rights must perform the move or rename operation on the targeted page.
6) Incorrect authorization (CVE-ID: CVE-2025-49582)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in required rights analyzers for macros when analyzing macro parameters that contain XWiki syntax. A remote user can add malicious script macros hidden in non-lowercase or otherwise unanalyzed parameters to execute arbitrary code.
User interaction is required when another user with programming rights edits the page.
7) Improper access control (CVE-ID: CVE-2025-49584)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the class property values REST API when handling requests for page property values. A remote attacker can send a specially crafted request to disclose sensitive information.
Only page titles are exposed, one title per request, and exploitation requires knowledge of the target page reference. Fully private wikis are not affected.
8) Improper privilege management (CVE-ID: CVE-2025-49581)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper privilege management in wiki macro wiki-type parameters when processing default parameter values in a wiki macro used by a document with programming rights. A remote user can define or override a wiki macro with a crafted default parameter value to execute arbitrary code.
Exploitation requires edit rights on a page and can lead to execution with the programming rights of the author of the document where the macro is used.
9) Improper access control (CVE-ID: CVE-2025-49586)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in the App Within Minutes editor preview of XClass changes when editing an application. A remote user can edit an App Within Minutes application to execute arbitrary code.
Exploitation requires edit right on at least one App Within Minutes application.
10) Improper Authorization (CVE-ID: CVE-2025-49583)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to send spam or phishing notifications to other users.
The vulnerability exists due to improper access control in NotificationEmailRendererClass email templates when an administrator edits and saves a document previously created by a low-privileged user with an XWiki.Notifications.Code.NotificationEmailRendererClass object. A remote user can create such a document to send spam or phishing notifications to other users.
User interaction is required because an administrator must edit and save the crafted document.
11) Cross-site scripting (CVE-ID: CVE-2025-49587)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script code in an administrator context.
The vulnerability exists due to improper neutralization of user-controlled content in XWiki.Notifications.Code.NotificationDisplayerClass objects when an administrator edits and saves a document created by a user without script right. A remote user can create a document containing a malicious notification displayer object to execute arbitrary script code in an administrator context.
User interaction is required because an administrator must edit and save the crafted document.
12) Improper Authorization (CVE-ID: CVE-2025-49585)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code with the rights of another user.
The vulnerability exists due to improper access control in XClass definitions when a document containing dangerous XClass properties is later edited by a higher-privileged user. A remote user can create a malicious XClass definition to execute arbitrary code with the rights of another user.
User interaction is required because a user with script, admin, or programming right must later edit the same document.
13) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2025-54125)
CWE-ID: CWE-359 - Exposure of Private Information ('Privacy Violation')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of private personal information in the xml.vm XML export when handling requests with the ?xpage=xml parameter for a page the requester can view. A remote attacker can request the XML export of a page to disclose sensitive information.
The issue exposes password and email properties stored on a document when those fields are not named password or email, including salted and hashed account validation or password reset tokens.
14) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2025-54124)
CWE-ID: CWE-359 - Exposure of Private Information ('Privacy Violation')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in database list properties when referencing password properties. A remote user can create an XClass with a database list property that references a password property and add an object of that XClass to disclose sensitive information.
In practice, with a standard rights setup, any user with an account on the wiki can access password hashes of all users, and possibly other password properties on pages that the user can view.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9jj-75mx-wjcx
- https://jira.xwiki.org/browse/XWIKI-22718
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f69v-xrj8-rhxf
- https://jira.xwiki.org/browse/XWIKI-22691
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp
- https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-prwh-7838-xf82
- https://jira.xwiki.org/browse/XWIKI-22734
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6
- https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj
- https://github.com/xwiki/xwiki-platform/commit/abdcefc0db27035b67329add836fd683e0cf92b8
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv
- https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9875-cw22-f7cx
- https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7
- https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97w
- https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7
- https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h
- https://github.com/xwiki/xwiki-platform/commit/385bde985cdb61ebf315d30c0b144b6d2e2c2d45
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3
- https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69
- https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24