Xwiki · Xwiki · CVE-2025-66474
**Name of the Vulnerable Software and Affected Versions**
XWiki versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0
**Description**
The XWiki Rendering system lacks sufficient protection against {{/html}} injection. This allows attackers to achieve remote code execution (RCE). Any user with the ability to edit their profile or other documents can execute arbitrary script macros, including Groovy and Python macros. This enables unrestricted read and write access to all wiki content.
**Recommendations**
Update to XWiki version 16.10.10 or later.
Update to XWiki version 17.4.3 or later.
Update to XWiki version 17.6.0-rc-1 or later.