CVE-2025-49586 HIGH

CVE-2025-49586: XWiki allows remote code execution through preview of XClass changes in AWM editor

Vendor Xwiki

Product xwiki-platform

Weakness CWE-863 · Incorrect authorization

Published June 13, 2025

Last update June 13, 2025

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.

Key dates

02Disclosure timeline

June 13, 2025 CVE published

June 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-49586 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2025-49586

CWE CWE-863

CVSS 8.7 / HIGH

Affected versions

Vendor Xwiki

Product xwiki-platform

Affected >= 7.2-milestone-2, < 16.4.7

Vendor Xwiki

Product xwiki-platform

Affected >= 16.5.0-rc-1, < 16.10.3

Vendor Xwiki

Product xwiki-platform

Affected >= 17.0.0-rc-1, < 17.0.0

CVE-2025-49586: XWiki allows remote code execution through preview of XClass changes in AWM editor

01Description

02Disclosure timeline

03References

04Related CVE