CVE-2025-32969
published 2025-04-23CVE-2025-32969: XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.49%
99.6th percentile
XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 1.8 < 15.10.16 | 15.10.16 |
| xwiki | xwiki | >= 16.0.0 < 16.4.6 | 16.4.6 |
| xwiki | xwiki | >= 16.5.0 < 16.10.1 | 16.10.1 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/rest/wikis/xwiki/query?q=where%20doc.name=length(%27a%27)*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(7)%20%23%27&type=hql&distinct=0↗
- →Detect exploitation attempts by monitoring GET requests to /rest/wikis/xwiki/query with 'type=hql' parameter and SQL injection patterns (e.g., UNION SELECT, sleep(), comment sequences) in the 'q' parameter. ↗
- →A successful exploitation response will return HTTP 200, contain both 'WikiManager' and '<?xml' in the body, and exhibit a response duration >= 7 seconds (time-based blind SQLi via sleep(7)). ↗
- →The vulnerability is exploitable by unauthenticated (remote, no credentials) users even when 'Prevent unregistered users from viewing pages' and 'Prevent unregistered users from editing pages' options are enabled. ↗
- →Identify XWiki instances exposed on the internet using the Shodan fingerprint 'html:"data-xwiki-reference"' or FOFA fingerprint 'body="data-xwiki-reference"' for attack surface enumeration. ↗
- ·The PoC payload leverages 'org.apache.logging.log4j.util.Chars.SPACE' as a Java class reference within the HQL context to escape the query boundary — this is specific to XWiki's HQL execution engine and may not trigger standard SQL injection signatures. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
osv·2025-04-23
CVE-2025-32969 [CRITICAL] org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
### Impact
It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled.
Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.
The vulnerability may be tested in a default installation of XWIki Standard Flavor, including using the of
GHSA
org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
ghsa·2025-04-23
CVE-2025-32969 [CRITICAL] CWE-89 org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
### Impact
It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled.
Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.
The vulnerability may be tested in a default installation of XWIki Standard Flavor, including using the of
VulnCheck
xwiki xwiki Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2025·CVSS 9.3
CVE-2025-32969 [CRITICAL] xwiki xwiki Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
xwiki xwiki Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue h
No detection rules found.
Nuclei
XWiki REST API Query - SQL Injection
nuclei·CVSS 9.3
CVE-2025-32969 [CRITICAL] XWiki REST API Query - SQL Injection
XWiki REST API Query - SQL Injection
A SQL injection vulnerability exists in XWiki's REST API query endpoint. An unauthenticated attacker can execute arbitrary SQL queries through the 'q' parameter by manipulating the HQL query, potentially leading to data exfiltration or system compromise.
Template:
id: CVE-2025-32969
info:
name: XWiki REST API Query - SQL Injection
author: ritikchaddha
severity: critical
description: |
A SQL injection vulnerability exists in XWiki's REST API query endpoint. An unauthenticated attacker can execute arbitrary SQL queries through the 'q' parameter by manipulating the HQL query, potentially leading to data exfiltration or system compromise.
impact: |
Unauthenticated attackers can execute arbitrary SQL queries through the REST API query endpoint, potential
2025-04-23
Published
Exploited in the wild