CVE-2025-53835

CVSS v3.1

9.0

Critical

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: XWiki versions 5.4.5 through 14.9

Description: XWiki Rendering, a system for converting textual input into different syntaxes, contains a flaw. Prior to version 14.10, the XHTML syntax relied on the xdom+xml/current syntax, enabling the insertion of arbitrary HTML content, including JavaScript. This allows for cross-site scripting (XSS) attacks when users with document editing privileges, such as their user profile (enabled by default), modify content.

Recommendations: Upgrade to XWiki version 14.10 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-80CWE-79

Related Identifiers

BDU:2025-13119

CVE-2025-53835

GHSA-W3WH-G4M9-783P

Affected Products

Xwiki

CVE-2025-53835

Weakness Enumeration

Related Identifiers

Affected Products

References · 12