CVE-2025-65089
published 2025-11-19CVE-2025-65089: XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.25%
16.4th percentile
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched in version 1.27.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | pro_macros | < 1.27.0 | 1.27.0 |
| xwikisas | xwiki-pro-macros | < 1.27.0 | 1.27.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki view file macro: User can view content of office file without view rights on the attachment
ghsa·2025-11-18
CVE-2025-65089 [MEDIUM] CWE-862 XWiki view file macro: User can view content of office file without view rights on the attachment
XWiki view file macro: User can view content of office file without view rights on the attachment
### Summary
A user with no view rights on a page may see the content of an office attachment displayed with the view file macro.
### Details
If on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no matter the display type used.
### PoC
1. Install and activate the Pro Macros application
2. Create a page and limit the view rights for a test user
3. Add an attachment to the restricted page
4. Create a new public page
5. Add the view file macro and select the attachment from the restricted page using any display type
6. Login as the test user with restricted view rights
7. The user will se
OSV
XWiki view file macro: User can view content of office file without view rights on the attachment
osv·2025-11-18
CVE-2025-65089 [MEDIUM] XWiki view file macro: User can view content of office file without view rights on the attachment
XWiki view file macro: User can view content of office file without view rights on the attachment
### Summary
A user with no view rights on a page may see the content of an office attachment displayed with the view file macro.
### Details
If on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no matter the display type used.
### PoC
1. Install and activate the Pro Macros application
2. Create a page and limit the view rights for a test user
3. Add an attachment to the restricted page
4. Create a new public page
5. Add the view file macro and select the attachment from the restricted page using any display type
6. Login as the test user with restricted view rights
7. The user will se
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-19
Published