CVE-2025-51991

Name of the Vulnerable Software and Affected Versions: XWiki versions through 17.3.0

Description: XWiki is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, potentially exposing internal server information or leading to further exploitation, such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.

Recommendations: Versions prior to 17.3.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.