CVE-2025-58365

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions: XWiki versions prior to 9.14

Description: The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Prior to version 9.14, the blog application allowed remote code execution for any logged-in user with edit rights on any page. Exploitation involves adding an object of type Blog.BlogPostClass to any page and adding script code to the "Content" field of that object. The vulnerability was addressed in version 9.14 by executing the content of blog posts with the rights of the appropriate author.

Recommendations: Upgrade to XWiki version 9.14 or later.

Exploit

Fix

LPE

RCE

Code Injection

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-95CWE-250

Related Identifiers

CVE-2025-58365

GHSA-GWJ6-XPFG-PXWR

Affected Products

Xwiki

CVE-2025-58365

Weakness Enumeration

Related Identifiers

Affected Products

References · 11