CVE-2025-49580
published 2025-06-13CVE-2025-49580: XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a…
PriorityP343high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
0.37%
28.8th percentile
XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 16.5.0 < 16.10.4 | 16.10.4 |
| xwiki | xwiki | >= 17.0.0 < 17.1.0 | 17.1.0 |
| xwiki | xwiki | >= 7.4.5 < 16.4.7 | 16.4.7 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.5HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki allows privilege escalation through link refactoring
ghsa·2025-06-13
CVE-2025-49580 [HIGH] CWE-266 XWiki allows privilege escalation through link refactoring
XWiki allows privilege escalation through link refactoring
### Impact
Pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed.
This vulnerability affects all version of XWiki since 8.2 and 7.4.5.
### Patches
The patch consists in only setting the `originalMetadataAuthor` when performing such change, so that it's displayed in the history but it has no impact on the right evaluation (i.e. the original author of the changes is still used for right computation).
This patch has been applied on XWiki 16.4.7, 17.1.0RC1, 16.10.4.
### Workarounds
There's no workaround for this vulnerability, except preventing to perform any refactorin
OSV
XWiki allows privilege escalation through link refactoring
osv·2025-06-13
CVE-2025-49580 [HIGH] XWiki allows privilege escalation through link refactoring
XWiki allows privilege escalation through link refactoring
### Impact
Pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed.
This vulnerability affects all version of XWiki since 8.2 and 7.4.5.
### Patches
The patch consists in only setting the `originalMetadataAuthor` when performing such change, so that it's displayed in the history but it has no impact on the right evaluation (i.e. the original author of the changes is still used for right computation).
This patch has been applied on XWiki 16.4.7, 17.1.0RC1, 16.10.4.
### Workarounds
There's no workaround for this vulnerability, except preventing to perform any refactorin
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-13
Published