CVE-2025-49587

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 15.10.16 XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.2

Description The issue arises when a user without script rights creates a document containing an XWiki.Notifications.Code.NotificationDisplayerClass object. If an admin later edits and saves this document, the potentially malicious content of the object is output as raw HTML, allowing cross-site scripting (XSS) attacks. The notification displayer executes Velocity code, and while a generic analyzer warns admins about editing Velocity code, warnings for editing documents with dangerous properties were only introduced in XWiki 15.9.

Recommendations For versions prior to 15.10.16, update to version 15.10.16 or later. For versions prior to 16.4.7, update to version 16.4.7 or later. For versions prior to 16.10.2, update to version 16.10.2 or later. As a temporary workaround, consider being cautious when editing documents with potentially malicious code, especially those containing XWiki.Notifications.Code.NotificationDisplayerClass objects, until a patch is applied.