CVE-2025-53835

XWiki Rendering (org.xwiki.rendering) is affected in versions 5.4.5 up to, but not including, 14.10 due to a dependency of the XHTML syntax on xdom+xml/current, which permits creation of raw blocks that can insert arbitrary HTML/JavaScript and enable XSS when users can edit content (e.g., profile...

CVE-2025-53835 XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax

XWiki Rendering is a generic rendering system that converts textual input in a given syntax wiki syntax, HTML, etc into another syntax XHTML, etc. Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the xdom+xml/current syntax which allows the creation of raw blocks...

GHSA-W3WH-G4M9-783P XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax

Impact The XHTML syntax depended on the xdom+xml/current syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile enabled by default. The attack works ...

XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax

Impact The XHTML syntax depended on the xdom+xml/current syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile enabled by default. The attack works ...

PT-2025-29523 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions 5.4.5 through 14.9 Description: XWiki Rendering, a system for converting textual input into different syntaxes, contains a flaw. Prior to version 14.10, the XHTML syntax relied on the xdom+xml/current syntax, enabling the...