CVE-2025-32969

Name of the Vulnerable Software and Affected Versions XWiki versions 1.8 through 15.10.15 XWiki versions 16.4.0 through 16.4.5 XWiki versions 16.10.0 through 16.10.0

Description XWiki is a generic wiki platform. In the affected versions, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. This can occur even when the "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to obtain confidential information such as password hashes from the database and execute UPDATE/INSERT/DELETE queries.

Recommendations For XWiki versions 1.8 through 15.10.15, upgrade to version 15.10.16. For XWiki versions 16.4.0 through 16.4.5, upgrade to version 16.4.6. For XWiki versions 16.10.0 through 16.10.0, upgrade to version 16.10.1.