CVE-2025-29926

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by ...

CVE-2025-29924

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerabilit...

CVE-2025-24893

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce ...

CVE-2025-29925

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent ...

CVE-2024-56158

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Thi...

CVE-2025-23025

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was experimental , and thus not recommended , in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, ...

CVE-2025-32969

XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, includ...

CVE-2025-32783

XWiki Platform is a generic wiki platform. A vulnerability in versions from 5.0 to 16.7.1 affects users with Message Stream enabled and a wiki configured as closed from selecting "Prevent unregistered users to view pages" in the Administrations Rights. The vulnerability is that any message sent in ...

CVE-2025-49584

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default f...

CVE-2025-49580

XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been...

CVE-2025-32968

XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. De...

CVE-2025-32970

XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redir...

CVE-2025-32971

XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's sc...

CVE-2025-32974

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page lik...

CVE-2025-32973

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contai...

CVE-2025-32972

XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making ...

CVE-2025-46557

XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.0-rc-1 to before 16.4.6, and from 16.5.0-rc-1 to before 16.10.0-rc-1, a user who can access pages located in the XWiki space (by default, anyone) can access the page XWiki.Authentication.Administrati...

CVE-2025-46554

XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. Th...

CVE-2025-49586

XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 1...

CVE-2025-49582

XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are i...

CVE-2025-48063

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are edit...

CVE-2025-49585

XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script,...

CVE-2025-49587

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS...

CVE-2025-49583

XWiki is a generic wiki platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationEmailRendererClass object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be...

CVE-2025-49581

XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter...

CVE-2025-32429 XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDE...

CVE-2025-54385 XWiki Platform's searchDocuments API allows for SQL injection

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searc...