CVE-2025-32974CRITICAL 9.0EPSS p20.1%

CVE-2025-32974CVE-2025-32974

Description

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.29% probability of exploitation · percentile 20.1% · 2026-06-19T12:03:05Z
Published2025-04-30
Last modified2025-05-13

Underlying weaknesses· 2

CWE-116CWE-269

References

  1. https://github.com/xwiki/xwiki-platform/commit/153dbfa2ef1a7a0a644fe3f889684c6a8738c5fc
  2. https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4r
  3. https://jira.xwiki.org/browse/XWIKI-22002
  4. https://jira.xwiki.org/browse/XWIKI-22002

2

TypeTargetConfidenceTier
WeaknessImproper Encoding or Escaping of Outputcwe-1160%live
WeaknessImproper Privilege Managementcwe-2690%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-32973
CVE
CVE-2025-49582
CVE
CVE-2025-49585
CVE
CVE-2025-23025
CVE
CVE-2025-48063
CVE
CVE-2025-32969
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.