CVE-2025-32968

Name of the Vulnerable Software and Affected Versions XWiki versions 1.6-milestone-1 through 15.10.16 XWiki versions prior to 16.4.6 XWiki versions prior to 16.10.1

Description The issue allows a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to obtain confidential information such as password hashes from the database, as well as execute UPDATE/INSERT/DELETE queries.

Recommendations For versions 1.6-milestone-1 through 15.10.16, update to version 15.10.16 or later. For versions prior to 16.4.6, update to version 16.4.6 or later. For versions prior to 16.10.1, update to version 16.10.1 or later. As a temporary workaround, consider restricting the SCRIPT right to minimize the risk of exploitation.