cbcvebase.
CVE-2025-51991
published 2025-08-20

CVE-2025-51991: XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.37%
87.2th percentile
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.

Affected

1 ranges
VendorProductVersion rangeFixed in
xwikixwiki<= 17.3.0

Detection & IOCsextracted from sources · hover to see the quote

sigma
title: XWiki SSTI via HTTP Meta Info Field
id: <UNKNOWN>
status: experimental
logsource:
  category: webserver
detection:
  keywords:
    - condition: contains
      field: body
      value: ']*>\s*49\s*<'
  condition: and
  • Detect SSTI exploitation attempts in XWiki by looking for Velocity template arithmetic probe payloads (e.g., 7*7=49) rendered in HTTP responses — a response body containing a tag with the value '49' adjacent to the injected expression is a strong indicator of successful SSTI.
  • The injection point is the HTTP Meta Info field within the Global Preferences Presentation section of the XWiki Administration interface. Monitor POST requests to XWiki admin configuration endpoints for Velocity template syntax (e.g., #set, $, #{) in the metainfo or related parameters.
  • Flag any XWiki instance running version 17.3.0 or earlier where the HTTP Meta Info configuration field contains Velocity template expressions, as these will be executed server-side without sandboxing.
  • ·Exploitation requires an authenticated administrator account; this is not an unauthenticated attack surface. Detection rules should be scoped to admin sessions to reduce false positives.
  • ·Impact severity (RCE vs. information disclosure) depends on the specific server configuration. Not all deployments will be equally exploitable beyond template logic exposure.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.