CVE-2025-54385 XWiki Platform's searchDocuments API allows for SQL injection

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The...

CVE-2025-54385 XWiki Platform's searchDocuments API allows for SQL injection

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The...

CVE-2025-54385

XWiki Platform contains a SQL injection vulnerability in the searchDocuments API. Affected versions are 17.0.0-rc1 through 17.2.2 and 16.10.5 and earlier. The issue arises because queries are passed directly to Hibernate without adequate sanitization, allowing injection of malicious SQL (e.g., vi...

GHSA-P9QM-P942-Q3W5 XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API

Impact It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWikisearchDocuments APIs are not sanitizing the query at all and even if they force a specific select, Hibernate allows using any native function in an HQL query for example in the...