CVE-2025-49580 HIGH

CVE-2025-49580: XWiki allows privilege escalation through link refactoring

Vendor Xwiki
Product xwiki-platform
Weakness CWE-266
Published June 13, 2025
Last update June 13, 2025

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.

Key dates

02Disclosure timeline

June 13, 2025 CVE published
June 13, 2025 Record updated

Related vulnerabilities

04Related CVE