CVE-2025-29926 HIGH

CVE-2025-29926: The WikiManager REST API allows any user to create wikis

Vendor Xwiki
Product xwiki-platform
Weakness CWE-285
Published March 19, 2025
Last update March 19, 2025

CVSS base score

7.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

Key dates

02Disclosure timeline

March 19, 2025 CVE published
March 19, 2025 Record updated