CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2025/10/03 8:7 p.m.•4 views

EUVD-2025-18299

Malicious code in bioql PyPI...

8.6CVSS6.3AI score0.00618EPSS

RedhatCVE•added 2025/06/15 6:2 p.m.•2 views

CVE-2025-49585

XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki requires edit right, and that same document is later edited by a user with script,...

8.6CVSS6.4AI score0.00618EPSS

Exploits1References1

Github Security Blog•added 2025/06/13 8:46 p.m.•10 views

XWiki does not require right warnings for XClass definitions

Impact When an attacker without script or programming right creates an XClass definition in XWiki requires edit right, and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior...

Exploits1References5Affected Software1

OSV•added 2025/06/13 8:46 p.m.•4 views

GHSA-59W6-R9HM-439H XWiki does not require right warnings for XClass definitions

8.6CVSS7.1AI score0.00618EPSS

Exploits1References5

Cvelist•added 2025/06/13 5:47 p.m.•17 views

CVE-2025-49586 XWiki allows remote code execution through preview of XClass changes in AWM editor

XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application the default for all users XWiki can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0,...

8.7CVSS0.09249EPSS

Cvelist•added 2025/06/13 5:33 p.m.•12 views

CVE-2025-49585 XWiki does not require right warnings for XClass definitions

8.6CVSS0.00618EPSS

CVE•added 2025/06/13 5:33 p.m.•53 views

CVE-2025-49585

XWiki vulnerability CVE-2025-49585 affects multiple pre-patched releases: before 15.10.16, 16.0.0-rc-1 → 16.4.6, and 16.5.0-rc-1 → 16.10.1. An attacker with no script/programming rights can create an XClass definition (requires edit rights), and if the same document is later edited by someone wit...

Exploits1References3Affected Software1

Vulnrichment•added 2025/06/13 5:33 p.m.•7 views

CVE-2025-49585 XWiki does not require right warnings for XClass definitions

OSV•added 2025/06/13 5:33 p.m.•4 views

CVE-2025-49585 XWiki does not require right warnings for XClass definitions

8.6CVSS6.7AI score0.00618EPSS

Exploits1References5

CNNVD•added 2025/06/13 12:0 a.m.•2 views

XWiki Platform 安全漏洞

XWiki Platform is XWiki's open source suite of Wiki platforms for creating web collaboration applications. A security vulnerability exists in XWiki Platform versions prior to 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, which stems from an XClass definition that could le...

OSV•added 2024/08/19 9:49 p.m.•14 views

GHSA-WCG9-PGQV-XM5V XWiki Platform allows XSS through XClass name in string properties

Impact Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. Reproduction steps 1. As a user without script or programming right, create a non-terminal document...

9.4CVSS7.2AI score0.0727EPSS

Exploits1References5

Cvelist•added 2024/08/19 4:24 p.m.•20 views

CVE-2024-43400 XWiki Platform allows XSS through XClass name in string properties

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. Thi...

9CVSS0.0727EPSS

NVD•added 2023/09/01 8:15 p.m.•13 views

CVE-2023-41046

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". For the...

6.3CVSS6.5AI score0.00126EPSS

Exploits0References4

Prion•added 2023/09/01 8:15 p.m.•15 views

Input validation

6.5CVSS6.4AI score0.00126EPSS

Exploits0References4Affected Software1

CVE•added 2023/09/01 7:59 p.m.•2502 views

CVE-2023-41046

CVE-2023-41046 describes a velocity code execution flaw in XWiki Platform where VelocityCode/VelocityWiki properties can run Velocity without script rights. The code executes with the correct context author, but cannot access privileged APIs; however, it may access data/APIs that enable further p...

6.3CVSS6.4AI score0.00126EPSS

Exploits0References4Affected Software1

OSV•added 2023/09/01 7:59 p.m.•13 views

CVE-2023-41046 Velocity execution without script rights in Xwiki platform

6.3CVSS6.6AI score0.00126EPSS

Exploits0References6

OSV•added 2022/11/21 10:34 p.m.•21 views

GHSA-9HQH-FMHG-VQ2J Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

Impact Any user with the right to edit his personal page can follow one of the scenario below: Scenario 1: - Log in as a simple user with just edit rights on the user profile - Go to the user's profile - Upload an attachment in the attachment tab at the bottom of the page any image is fine - Clic...

9.9CVSS9.2AI score0.05936EPSS