CVE-2025-32429 CRITICAL

CVE-2025-32429: XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter

Vendor Xwiki

Product xwiki-platform

Weakness CWE-89 · SQLi

Published July 24, 2025

Last update July 25, 2025

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.

Key dates

02Disclosure timeline

July 24, 2025 CVE published

July 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-32429 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

Identifiers

CVE CVE-2025-32429

CWE CWE-89

CVSS 9.3 / CRITICAL

Affected versions

Vendor Xwiki

Product xwiki-platform

Affected >= 9.4-rc-1, < 16.10.6

Vendor Xwiki

Product xwiki-platform

Affected >= 17.0.0-rc-1, < 17.3.0-rc-1

CVE-2025-32429: XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter

01Description

02Disclosure timeline

03References

04Related CVE