CVE-2025-66024

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 9.15.7

Description The XWiki blog application is susceptible to Stored Cross-Site Scripting (XSS) through the Blog Post Title. The issue occurs because the post title is directly inserted into the HTML <title> tag without appropriate escaping. An attacker with the ability to create or modify blog posts can inject malicious JavaScript into the title field. This script will then execute in the browser of any user, including administrators, who views the blog post, potentially leading to session hijacking or privilege escalation. The vulnerable parameter is the title field within blog posts.

Recommendations Update to XWiki version 9.15.7 or later.