cbcvebase.
CVE-2025-55749
published 2025-12-01

CVE-2025-55749: XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.38%
68.7th percentile
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.

Affected

6 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 16.7.0 < 16.10.1116.10.11
xwikixwiki>= 17.0.0 < 17.4.417.4.4
xwikixwiki>= 17.5.0 < 17.7.017.7.0
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

path/webapps/xwiki/WEB-INF/xwiki.properties
  • Send an unauthenticated HTTP GET request to /webapps/xwiki/WEB-INF/xwiki.properties; a vulnerable XJetty instance will return HTTP 200 with body containing both 'diff.xml.dataURI' and 'core.renderingcache.enabled'.
  • Scope detection to hosts fingerprinted as XWiki Platform (e.g. via FOFA query app="XWIKI-Platform"); the vulnerability only affects instances using the XWiki Jetty (XJetty) package.
  • The exposed context allows static traversal of the entire webapp/ folder, so monitor for unauthenticated GET requests targeting paths under /webapps/xwiki/WEB-INF/ from external sources.
  • ·Vulnerability is only exploitable on XWiki instances deployed via the XWiki Jetty (XJetty) package; standard servlet-container deployments are not affected.
  • ·Affected version range is 16.7.0 through (but not including) 16.10.11, 17.4.4, and 17.7.0; fixed versions are 16.10.11, 17.4.4, and 17.7.0.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.