cbcvebase.
CVE-2025-66474
published 2025-12-10

CVE-2025-66474: XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.86%
53.9th percentile
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1.

Affected

5 ranges
VendorProductVersion rangeFixed in
xwikixwiki-rendering< 16.10.1016.10.10
xwikixwiki-rendering
xwikixwiki-rendering
xwikixwiki-rendering
xwikixwiki-rendering>= 17.0.0 < 17.4.317.4.3

Detection & IOCsextracted from sources · hover to see the quote

  • Detect {{/html}} injection attempts in XWiki document content — look for macro closing tags used to escape HTML macro context and inject arbitrary wiki macros (e.g., Groovy/Python script macros)
  • Monitor for execution of Groovy and Python script macros in XWiki, especially triggered from user profile pages or arbitrary documents edited by low-privileged users
  • ·Vulnerability affects a wide range of XWiki Rendering versions; patched versions are 16.10.10, 17.4.3, and 17.6.0-rc-1 — ensure detection/blocking rules account for all affected version ranges
  • ·Any authenticated user with document edit rights (including self-profile editing) is a potential attacker — the attack surface is not limited to privileged accounts

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.