CVE-2025-46558 CRITICAL

CVE-2025-46558: org.xwiki.contrib.markdown:syntax-markdown-commonmark12 vulnerable to XSS via Markdown content

Vendor Xwiki-Contrib
Product syntax-markdown
Weakness CWE-79 · XSS
Published April 30, 2025
Last update April 30, 2025
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown syntax, it's possible for any user to embed Javascript code that will then be executed on the browser of any other user visiting either the document or the comment that contains it. In the instance that this code is executed by a user with admins or programming rights, this issue compromises the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in version 8.9.

Key dates

02Disclosure timeline

April 30, 2025 CVE published
April 30, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-5611 Stratum – Elementor Widgets <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget CVE-2025-62983 WordPress Posts By Tag plugin <= 3.2.1 - Cross Site Scripting (XSS) vulnerability CVE-2017-20191 Zimbra zm-admin-ajax Form Textbox Field Error XFormItem.js XFormItem.prototype.setError cross site scripting CVE-2024-22359 IBM UrbanCode Deploy cross-site scripting CVE-2026-25647 Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink