Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2025-54124
Published: May 5, 2026
Vulnerability identifier: #VU129888
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-54124
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in database list properties when referencing password properties. A remote user can create an XClass with a database list property that references a password property and add an object of that XClass to disclose sensitive information.
In practice, with a standard rights setup, any user with an account on the wiki can access password hashes of all users, and possibly other password properties on pages that the user can view.
How to mitigate CVE-2025-54124
Install security update from vendor's website.