CVE-2025-49585

Name of the Vulnerable Software and Affected Versions XWiki versions before 15.10.16 XWiki versions 16.0.0-rc-1 through 16.4.6 XWiki versions 16.5.0-rc-1 through 16.10.1

Description The issue concerns XWiki, a generic wiki platform. In affected versions, an attacker without script or programming rights can create an XClass definition, which can lead to malicious code execution when a user with script, admin, or programming rights later edits the document. This is particularly relevant to custom display code, script of computed properties, and queries in database list properties. Warnings for editing documents with dangerous properties were introduced in XWiki 15.9.

Recommendations For versions before 15.10.16, update to version 15.10.16 or later. For versions 16.0.0-rc-1 through 16.4.6, update to version 16.4.7 or later. For versions 16.5.0-rc-1 through 16.10.1, update to version 16.10.2 or later.