Cross-site scripting in XWiki platform - CVE-2025-49587
Published: May 5, 2026
Vulnerability identifier: #VU129884
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-49587
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in an administrator context.
The vulnerability exists due to improper neutralization of user-controlled content in XWiki.Notifications.Code.NotificationDisplayerClass objects when an administrator edits and saves a document created by a user without script right. A remote user can create a document containing a malicious notification displayer object to execute arbitrary script code in an administrator context.
User interaction is required because an administrator must edit and save the crafted document.
How to mitigate CVE-2025-49587
Install security update from vendor's website.