CVE-2025-32971

Name of the Vulnerable Software and Affected Versions XWiki versions 4.5.1 through 15.10.12 XWiki versions 16.0.0-rc-1 through 16.4.3 XWiki versions 16.5.0-rc-1 through 16.7.0-rc-1

Description The Solr script service in XWiki does not account for dropped programming rights. Normally, the Solr script service requires programming rights to be called, but due to the use of the wrong API for checking rights, it fails to consider that programming rights might have been dropped by calling $xcontext.dropPermissions(). This could allow a user with script rights to cause a high load by indexing documents or temporarily remove documents from the search index.

Recommendations For XWiki versions 4.5.1 through 15.10.12, update to version 15.10.13 or later. For XWiki versions 16.0.0-rc-1 through 16.4.3, update to version 16.4.4 or later. For XWiki versions 16.5.0-rc-1 through 16.7.0-rc-1, update to version 16.8.0-rc-1 or later.