Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2025-66472
Published: May 5, 2026
Vulnerability identifier: #VU129894
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-66472
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary actions in the victim's XWiki session.
The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in the DeleteApplication xredirect parameter handling when rendering a deletion confirmation message. A remote attacker can send a specially crafted URL to a victim to execute arbitrary actions in the victim's XWiki session.
User interaction is required when the victim clicks the "No" button on the deletion confirmation message. If the victim has admin or programming rights, exploitation can lead to remote code execution.
How to mitigate CVE-2025-66472
Install security update from vendor's website.