CVE-2025-32973

Name of the Vulnerable Software and Affected Versions XWiki versions 15.9-rc-1 through 15.10.12 XWiki versions 16.0.0-rc-1 through 16.4.3 XWiki versions 16.5.0-rc-1 through 16.8.0-rc-1

Description The issue arises when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass object. In such cases, no warning is displayed to indicate that programming rights will be granted to this object. An attacker who creates a malicious XWiki.ComponentClass object could exploit this to gain programming rights on the wiki. To do so, the attacker must have edit rights on at least one page to place the object and then trick an admin user into editing that document.

Recommendations For versions 15.9-rc-1 through 15.10.12, update to version 15.10.12 or later. For versions 16.0.0-rc-1 through 16.4.3, update to version 16.4.3 or later. For versions 16.5.0-rc-1 through 16.8.0-rc-1, update to version 16.8.0-rc-1 or later.