SB2026050582 - Multiple vulnerabilities in XWiki platform

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050582

SB2026050582 - Multiple vulnerabilities in XWiki platform

Published: May 5, 2026

Security Bulletin ID SB2026050582
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) SQL injection (CVE-ID: CVE-2025-52472)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary queries.

The vulnerability exists due to SQL injection in the wiki and space search REST API when processing the orderField parameter. A remote attacker can send a specially crafted REST request to execute arbitrary queries.

The injected value is added twice to the generated query, which makes exploitation more constrained but still possible.


2) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-66472)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary actions in the victim's XWiki session.

The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in the DeleteApplication xredirect parameter handling when rendering a deletion confirmation message. A remote attacker can send a specially crafted URL to a victim to execute arbitrary actions in the victim's XWiki session.

User interaction is required when the victim clicks the "No" button on the deletion confirmation message. If the victim has admin or programming rights, exploitation can lead to remote code execution.


Remediation

Install update from vendor's website.

References