PT-2025-50550 · Xwiki · Xwiki

Highmichitux

Published

2025-07-14

Updated

2025-12-19

CVE-2025-66474

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions XWiki versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0

Description The XWiki Rendering system lacks sufficient protection against {{/html}} injection. This allows attackers to achieve remote code execution (RCE). Any user with the ability to edit their profile or other documents can execute arbitrary script macros, including Groovy and Python macros. This enables unrestricted read and write access to all wiki content.

Recommendations Update to XWiki version 16.10.10 or later. Update to XWiki version 17.4.3 or later. Update to XWiki version 17.6.0-rc-1 or later.

Exploit

Fix

RCE

Code Injection

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-95

Related Identifiers

BDU:2025-15982

CVE-2025-66474

GHSA-9XC6-C2RM-F27P

Affected Products

Xwiki

PT-2025-50550 · Xwiki · Xwiki

CVE-2025-66474

Weakness Enumeration

Related Identifiers

Affected Products

References · 14