CVE-2025-55728

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: XWiki Remote Macros versions 1.0 through 1.26.5

Description: XWiki Remote Macros provides XWiki rendering macros used for content migration from Confluence. A lack of escaping for the classes parameter within the panel macro allows for remote code execution. This affects any user with page editing permissions, as the classes parameter is used without proper escaping in XWiki syntax, enabling XWiki syntax injection.

Recommendations: Update to version 1.26.5 or later.

Exploit

Fix

RCE

Code Injection

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-95

Related Identifiers

CVE-2025-55728

GHSA-48F4-H726-74P5

Affected Products

Xwiki Remote Macros

CVE-2025-55728

Weakness Enumeration

Related Identifiers

Affected Products

References · 10