cbcvebase.
CVE-2025-46554
published 2025-04-30

CVE-2025-46554: XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and…

PriorityP181medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.99%
58.0th percentile
XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0.

Affected

8 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 1.8.1 < 14.10.2214.10.22
xwikixwiki>= 15.0 < 15.10.1215.10.12
xwikixwiki>= 16.0.0 < 16.4.316.4.3
xwikixwiki>= 16.5.0 < 16.7.016.7.0
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

urlrest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments
urlxwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments
otherdata-xwiki-reference
  • Probe the XWiki REST attachments endpoint unauthenticated; a vulnerable instance returns HTTP 200 with a body containing '<attachments', '<item', and '<longSize' and a Content-Type of 'text/xml' or 'text/javascript'.
  • Two common URL path variants exist for the vulnerable endpoint: with and without the leading 'xwiki/' prefix. Both should be tested when scanning.
  • Use the Shodan/FOFA fingerprint 'data-xwiki-reference' in HTML body to identify XWiki instances for targeted scanning.
  • The vulnerability is exploitable by unauthenticated users (PR:N, UI:N per CVSS), so no credentials or session tokens are required to trigger the information disclosure.
  • ·The proof-of-concept path targets the default 'Sandbox/WebHome' page. Real wikis may not have this page, so the endpoint path should be adapted to known pages/spaces on the target instance.
  • ·Affected version range is broad (1.8.1 – 16.6.x); patched versions are 14.10.22, 15.10.12, 16.4.3, and 16.7.0. Detections should correlate against the installed XWiki version to reduce false positives on patched instances.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.