CVE-2025-49581

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.3 XWiki versions prior to 17.0.0

Description The issue allows any user with edit rights on a page to execute code, including Groovy, Python, and Velocity, with programming rights by defining a wiki macro. This can grant full access to the whole XWiki installation. The problem arises when a wiki macro parameter allows wiki syntax, and its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro, such as the children macro, allowing arbitrary script macros.

Recommendations For versions prior to 16.4.7, update to version 16.4.7 or later to enforce proper rights management. For versions prior to 16.10.3, update to version 16.10.3 or later to enforce proper rights management. For versions prior to 17.0.0, update to version 17.0.0 or later to enforce proper rights management.