CVE-2025-55729 CRITICAL

CVE-2025-55729: XWiki Remote Macros vulnerable to remote code execution using the ConfluenceLayoutSection macro

Vendor Xwikisas
Product xwiki-pro-macros
Weakness CWE-116
Published September 9, 2025
Last update September 10, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.

Key dates

02Disclosure timeline

September 9, 2025 CVE published
September 10, 2025 Record updated