CVE-2025-66473 XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis

XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of...

CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...

CVE-2025-32969

Summary: CVE-2025-32969 affects XWiki Platform REST server and related components, enabling unauthenticated remote SQL injection by escaping the HQL execution context in the REST API query endpoint. Affected versions are 1.8 through before 15.10.16, and before 16.4.6 and 16.10.1. Successful explo...

org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API

Impact It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Preven...

GHSA-F69V-XRJ8-RHXF org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API

Impact It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Preven...