Exploit for Code Injection in Xwiki

CVE-2025-24893 — XWiki Unauthenticated RCE PoC Proof-of-Con...

CVE-2025-49586

XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application the default for all users XWiki can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0,...

CVE-2025-49587 XWiki does not require right warnings for notification displayer objects

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing X...

PT-2025-25433 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.3 XWiki versions prior to 17.0.0 Description: XWiki is a generic wiki platform that warns about the execution of "dangerous" macros like malicious script macros authored by a user...

GHSA-V782-XR4W-3VQX XWiki Platform: Password hash might be leaked by diff once the xobject holding them is deleted

Impact It is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that vulnerability it's possible for an attacker to have access to the hash password of a user if they have rights to edit the users' page. No...