VulnCheck KEV: CVE-2025-52472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...

CVE-2025-8052 HQL Injection vulnerability has been discovered in Opentext Flipper.

SQL Injection vulnerability in opentext Flipper allows SQL Injection. The vulnerability could allow a low privilege user to interact with the database in unintended ways and extract data by interacting with the HQL processor. This issue affects Flipper: 3.1.2...

CVE-2025-52472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...

EUVD-2016-2690

Malware in sbrugna...

EUVD-2020-4225

Malware in sbrugna...

GHSA-GPRP-H92G-GC2H XWiki Platform is vulnerable to HQL injection via wiki and space search REST API

Impact The REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it's not that easy to exploit. The part of the query between the two fields can b...

CVE-2025-52472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...

CVE-2025-52472 XWiki Platform vulnerable to HQL injection via wiki and space search REST API

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...

CVE-2025-52472

Summary of CVE-2025-52472 (XWiki Platform) XWiki Platform is vulnerable to a Hibernate Query Language (HQL) injection in the wiki/space REST search API via the orderField parameter. The issue arises because the parameter value is inadvertently added twice in the generated query (once in the selec...

CVE-2025-52472 XWiki Platform vulnerable to HQL injection via wiki and space search REST API

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...

CVE-2025-52472 XWiki Platform vulnerable to HQL injection via wiki and space search REST API

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...

EUVD-2024-3519

Malicious code in bioql PyPI...

PT-2025-40901

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 4.3-milestone-1 through 16.10.8 XWiki Platform versions 17.4.0 through 17.4.1 XWiki Platform versions 17.5.0 Description The XWiki Platform, a generic wiki platform, contains a flaw in the REST search URL. The orderFiel...

CVE-2024-55663

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in getdocument.vm; the ordering of the returned documents is defined from an unsanitized request parameter request.sort and can allow any user to inject HQL. Depending on th...

CVE-2020-11886

OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm aka the NodeListController via snmpParm or snmpParmValue to addCriteriaForSnmpParm. This affects Horizon before 25.2.1, Meridian 2019 before 2019.1.4, Meridian 2018 before 2018.1.16, and Meridian 2017 before 2017.1.21...

CVE-2024-49203

Querydsl 5.1.0 and OpenFeign Querydsl 6.8 allows SQL/HQL injection in orderBy in JPAQuery. NOTE: this is disputed by a Querydsl community member because the product is not intended to defend against a developer who uses untrusted input directly in query construction...

CVE-2024-55663

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in getdocument.vm; the ordering of the returned documents is defined from an unsanitized request parameter request.sort and can allow any user to inject HQL. Depending on th...

CVE-2024-55663 XWiki Platform has an SQL injection in getdocuments.vm with sort parameter

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in getdocument.vm; the ordering of the returned documents is defined from an unsanitized request parameter request.sort and can allow any user to inject HQL. Depending on th...

CVE-2024-55663

CVE-2024-55663 is an SQL injection in XWiki Platform occurring in getdocument.vm, tied to an unsanitized sort parameter that can enable HQL injection. Affected versions include 6.3-milestone-2 up to 13.10.4/14.3-rc-1, with patches implemented in 13.10.5 and 14.3-rc-1. Depending on the database ba...

GHSA-6Q3Q-6V5J-H6VG Querydsl vulnerable to HQL injection through orderBy

Summary The order by method enables injecting HQL queries. This may cause blind HQL injection, which could lead to leakage of sensitive information, and potentially also Denial Of Service. This vulnerability is present since the original querydsl repositoryhttps://github.com/querydsl/querydsl whe...