CVE-2025-24853

CVE-2025-24853: Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing

Vendor Apache Software Foundation

Product Apache JSPWiki

Weakness CWE-79 · XSS

Published July 31, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later.

Key dates

Disclosure timeline

July 31, 2025 CVE published

November 4, 2025 Record updated