CVE-2025-58049

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 14.4.2 through 16.4.7 XWiki Platform versions 16.5.0-rc-1 through 16.10.6 XWiki Platform versions 17.0.0-rc-1 through 17.4.0-rc-1

Description: The PDF export jobs store sensitive cookies unencrypted in job statuses. This includes the encrypted username and password, which effectively exposes the plain text password if the encryption key is compromised. The encryption key is stored in the same data directory as the job status, making it accessible. The vulnerability exists because the job status includes cookies from the HTTP request that triggered the export.

Recommendations: Upgrade to XWiki Platform version 16.4.8 or later. Upgrade to XWiki Platform version 16.10.7 or later. Upgrade to XWiki Platform version 17.4.0-rc-1 or later.