CVE-2025-49583

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 15.10.16 XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.2

Description The issue affects XWiki, a generic wiki platform. It occurs when a user without script right creates a document with an XWiki.Notifications.Code.NotificationEmailRendererClass object. If an admin later edits and saves that document, the email templates in this object will be used for notifications. Although no malicious code can be executed due to the existing generic analyzer warning admins before editing Velocity code, the main impact could be to send spam, such as phishing links to other users, or to hide notifications about other attacks.

Recommendations For versions prior to 15.10.16, update to version 15.10.16 or later. For versions prior to 16.4.7, update to version 16.4.7 or later. For versions prior to 16.10.2, update to version 16.10.2 or later. As a temporary workaround, consider restricting access to documents with XWiki.Notifications.Code.NotificationEmailRendererClass objects until the issue is resolved. Avoid using the XWiki.Notifications.Code.NotificationEmailRendererClass object in documents until the issue is resolved.