CVE-2025-55727

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: XWiki Remote Macros versions 1.0 through 1.26.5

Description: XWiki Remote Macros provides XWiki rendering macros used for content migration from Confluence. A missing escaping mechanism in the width parameter within the column macro allows for remote code execution. This affects users who can edit pages or access the CKEditor converter. The unescaped width parameter enables XWiki syntax injection, potentially allowing execution of Velocity code as the wiki admin or a user with programming rights.

Recommendations: Update to version 1.26.5 or later.

Exploit

Fix

RCE

Code Injection

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-95

Related Identifiers

CVE-2025-55727

GHSA-HXQP-983C-M8H9

Affected Products

Xwiki Remote Macros

CVE-2025-55727

Weakness Enumeration

Related Identifiers

Affected Products

References · 9