PT-2025-36622 — Org.Xwiki.Contrib.Blog:Application-Blog-Ui

PT-2025-36622 · Maven · Org.Xwiki.Contrib.Blog:Application-Blog-Ui

Published

2025-09-08

Updated

2025-09-08

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Impact

The blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user profile. To exploit, it is sufficient to add an object of type Blog.BlogPostClass to any page and to add some script macro with the exploit code to the "Content" field of that object.

Patches

The vulnerability has been patched in the blog application version 9.14 by executing the content of blog posts with the rights of the appropriate author.

Workarounds

We're not aware of any workarounds.

Resources

Fix

Eval Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-250CWE-95CWE-94

Related Identifiers

GHSA-GWJ6-XPFG-PXWR

Affected Products

Org.Xwiki.Contrib.Blog:Application-Blog-Ui