CVE-2025-55728 CRITICAL

CVE-2025-55728: XWiki Remote Macros vulnerable to remote code execution using the panel macro

Vendor Xwikisas
Product xwiki-pro-macros
Weakness CWE-95 · Eval injection
Published September 9, 2025
Last update September 11, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue.

Key dates

02Disclosure timeline

September 9, 2025 CVE published
September 11, 2025 Record updated