CVE-2025-54385

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions xWiki versions prior to 16.10.6 xWiki versions prior to 17.3.0-rc-1

Description The application allows execution of arbitrary SQL queries in Oracle databases using functions like DBMS XMLGEN or DBMS XMLQUERY. The XWiki#searchDocuments API does not sanitize queries, and Hibernate allows the use of native functions within HQL queries.

Recommendations Upgrade to xWiki version 16.10.6 or later. Upgrade to xWiki version 17.3.0-rc-1 or later.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-89

Related Identifiers

BDU:2025-13439

CVE-2025-54385

GHSA-P9QM-P942-Q3W5

Affected Products

Xwiki

CVE-2025-54385

Weakness Enumeration

Related Identifiers

Affected Products

References · 15