CVE-2025-54125

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 1.1 through 16.4.6 XWiki Platform versions 16.5.0-rc-1 through 16.10.4 XWiki Platform versions 17.0.0-rc-1 through 17.1.0

Description XWiki Platform Legacy Old Core and XWiki Platform Old Core are affected by an issue where the XML export of a page, accessible to any user with view rights by appending ?xpage=xml to the URL, includes password and email properties stored on a document – even if these properties are not explicitly named password or email.

Recommendations XWiki Platform versions prior to 16.4.7 should be updated. XWiki Platform versions prior to 16.10.5 should be updated. XWiki Platform versions prior to 17.2.0-rc-1 should be updated. If the XML export functionality is not required, delete the templates/xml.vm file from the deployed WAR file.