CVE-2025-66474
published 2025-12-10CVE-2025-66474: XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.86%
53.9th percentile
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki-rendering | < 16.10.10 | 16.10.10 |
| xwiki | xwiki-rendering | — | — |
| xwiki | xwiki-rendering | — | — |
| xwiki | xwiki-rendering | — | — |
| xwiki | xwiki-rendering | >= 17.0.0 < 17.4.3 | 17.4.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect {{/html}} injection attempts in XWiki document content — look for macro closing tags used to escape HTML macro context and inject arbitrary wiki macros (e.g., Groovy/Python script macros) ↗
- →Monitor for execution of Groovy and Python script macros in XWiki, especially triggered from user profile pages or arbitrary documents edited by low-privileged users ↗
- ·Vulnerability affects a wide range of XWiki Rendering versions; patched versions are 16.10.10, 17.4.3, and 17.6.0-rc-1 — ensure detection/blocking rules account for all affected version ranges ↗
- ·Any authenticated user with document edit rights (including self-profile editing) is a potential attacker — the attack surface is not limited to privileged accounts ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
osv·2025-12-10
CVE-2025-66474 [HIGH] XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
### Impact
Any user who can edit their own user profile or any other document can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The reason is that rendering output is included as content of HTML macros with insufficient escaping, and it is thus possible to close the HTML macro and inject script macros that are executed with programming rights. To demonstrate, the content `{{html}}{{/html {{/html}}}}` can be inserted into any field of the user profile that supports wiki syntax like the "About" field. If this leads to the display of raw HTML, the instance is vulnerable.
GHSA
XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
ghsa·2025-12-10
CVE-2025-66474 [HIGH] CWE-94 XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
### Impact
Any user who can edit their own user profile or any other document can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The reason is that rendering output is included as content of HTML macros with insufficient escaping, and it is thus possible to close the HTML macro and inject script macros that are executed with programming rights. To demonstrate, the content `{{html}}{{/html {{/html}}}}` can be inserted into any field of the user profile that supports wiki syntax like the "About" field. If this leads to the display of raw HTML, the instance is vulnerable.
No detection rules found.
No public exploits indexed.
https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27phttps://jira.xwiki.org/browse/XRENDERING-693https://jira.xwiki.org/browse/XRENDERING-792https://jira.xwiki.org/browse/XRENDERING-793https://jira.xwiki.org/browse/XWIKI-23378https://jira.xwiki.org/browse/XRENDERING-693https://jira.xwiki.org/browse/XRENDERING-792https://jira.xwiki.org/browse/XRENDERING-793
2025-12-10
Published