CVE-2025-55730CRITICAL 10.0EPSS p47.7%

CVE-2025-55730CVE-2025-55730

Description

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.68% probability of exploitation · percentile 47.7% · 2026-06-19T12:03:05Z
Published2025-09-09
Last modified2026-04-15

Underlying weaknesses· 1

CWE-116

References

  1. https://github.com/xwikisas/xwiki-pro-macros/blob/93ac1a38c829e3ef787379b2b45eb043a573e5f7/xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-ui/src/main/resources/Confluence/Macros/ConfluencePasteCodeMacro.xml#L435
  2. https://github.com/xwikisas/xwiki-pro-macros/commit/049716df415aaf00938a91d618d382777820d2af
  3. https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-5w8v-h22g-j2mp
  4. https://jira.xwiki.org/browse/XWIKI-20449

1

TypeTargetConfidenceTier
WeaknessImproper Encoding or Escaping of Outputcwe-1160%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-55729
CVE
CVE-2025-55728
CVE
CVE-2025-55727
CVE
CVE-2025-65036
CVE
CVE-2025-49582
CVE
CVE-2025-53836
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.