Improper Removal of Sensitive Information Before Storage or Transfer in XWiki platform - CVE-2025-58049
Published: May 5, 2026
Vulnerability identifier: #VU129889
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-58049
CWE-ID: CWE-212
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper removal of sensitive information before storage or transfer in the PDF export job status serialization when processing a PDF export request in a background job. A remote privileged user can trigger a PDF export to disclose sensitive information.
The stored job status can include user cookies, including encrypted credentials, and the encryption key is stored in the same data directory by default.
How to mitigate CVE-2025-58049
Install security update from vendor's website.