EUVD-2025-12743

Malicious code in bioql PyPI...

MAL-2025-19673 Malicious code in enterprise_script_service (npm)

The package enterprisescriptservice was found to contain malicious code...

CVE-2023-26478

XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, org.xwiki.store.script.TemporaryAttachmentsScriptServiceuploadTemporaryAttachment returns an instance of com.xpn.xwiki.doc.XWikiAttachment. This class is not supported to be exposed to users without the programing right...

CVE-2025-32971

XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's...

CVE-2025-32971

XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's...

CVE-2025-32971 XWiki Solr script service doesn't take dropped programming right into account

XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's...

CVE-2025-32971 XWiki Solr script service doesn't take dropped programming right into account

XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's...

CVE-2025-32971

CVE-2025-32971 affects XWiki where the Solr script service can be invoked via the scripting API without properly accounting for dropped programming rights. The root cause is using an incorrect API to verify rights, so a user with script rights could bypass protections after calling $xcontext.drop...

XWiki Platform 安全漏洞

XWiki Platform is the XWiki open source suite of Wiki platforms for creating web collaboration applications. A security vulnerability exists in XWiki Platform versions prior to 15.10.13, prior to 16.4.4, and prior to 16.8.0-rc-1, which stems from an improper privilege check in the Solr script...

Solr script service doesn't take dropped programming right into account

Impact The Solr script service that is accessible in XWiki's scripting API normally requires programming right to be called. Due to using the wrong API for checking rights, it doesn't take the fact into account that programming rights might have been dropped by calling $xcontext.dropPermissions. ...

GHSA-987P-R3JC-8C8V Solr script service doesn't take dropped programming right into account

Impact The Solr script service that is accessible in XWiki's scripting API normally requires programming right to be called. Due to using the wrong API for checking rights, it doesn't take the fact into account that programming rights might have been dropped by calling $xcontext.dropPermissions. ...

Privilege escalation

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation. This issue is...

XML External Entity Injection (XXE)

org.xwiki.commons:xwiki-commons-xml is vulnerable to XML external entity injection XXE. A remote authenticated attacker is able to inject a specifically crafted script through the XML script service to gain access to sensitive user information...

Xxe

org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External...

GHSA-M2R5-4W96-QXG5 Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml

Impact It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. For example: velocity set$xml=$services.get'xml' set$xxepayload = "" set$doc=$xml.parse$xxepayload $xml.serialize$doc...

GHSA-M738-3RC4-5XV3 A user without PR can reset user authentication failures information

Impact The script service method used to reset the authentication failures record can be executed by any user with Script rights and does not require Programming rights as it should have. Note that being able to reset the authentication failure record mean that an attacker with script right might...

CVE-2021-32729

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user with Script right...

CVE-2021-21380

CVE-2021-21380 affects XWiki Platform when the Ratings API is installed. The Rating Script Service exposes an API to perform SQL requests without escaping the from and where arguments, enabling SQL injection by any user with Script rights. The issue is fixed in XWiki 12.9RC1. A workaround is to u...

Exploit for CVE-2020-2551

Twitter: @Hktalent3135773...