CVE-2025-48063

Name of the Vulnerable Software and Affected Versions XWiki versions 16.10.0 through 16.10.3

Description The issue is related to a bug in the implementation of required rights in XWiki, allowing any user with edit right on a document to set programming right as required right. This could lead to remote code execution if a user with programming right edits the document. The impact is considered low, as the vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights. However, gaining programming right could have a high impact.

Recommendations For XWiki versions 16.10.0 through 16.10.3, upgrade to XWiki 16.10.4 or 17.1.0RC1 to resolve the issue. As a temporary workaround, consider restricting access to documents with required rights enforced, to minimize the risk of exploitation.