Cyber Resilience

CVE-2025-32968

HighPublic PoC

Published: 23 April 2025

Published
23 April 2025
Modified
30 April 2025
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 63.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32968 is a high-severity SQL Injection (CWE-89) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 36.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki is a generic wiki platform affected by CVE-2025-32968, a blind SQL injection vulnerability present in versions from 1.6-milestone-1 through 15.10.15, 16.4.5, and 16.10.0. The flaw allows a user holding SCRIPT right to break out of the HQL execution context in a REST API endpoint and inject arbitrary SQL statements against the backend database. The issue is tracked under CWE-89 and carries a CVSS 4.0 score of 8.6.

An attacker with SCRIPT right can exploit the weakness to retrieve sensitive data such as password hashes or, depending on the database backend, issue UPDATE, INSERT, or DELETE statements. Because the injection occurs through an authenticated API path, the attacker needs no additional user interaction or special network position beyond the granted script privilege.

The GitHub Security Advisory GHSA-g9jj-75mx-wjcx and the linked XWiki Jira ticket XWIKI-22718 state that the vulnerability is fixed in releases 15.10.16, 16.4.6, and 16.10.1. The correction applies the same query-validation logic already used for complete SELECT statements; no other workaround is provided.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0123, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to…

more

execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki. The protection added to this REST API is the same as the one used to validate complete select queries, making it more consistent. However, while the script API always had this protection for complete queries, it's important to note that it's a very strict protection and some valid, but complex, queries might suddenly require the author to have programming right.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
1.6 — 15.10.16 · 16.0.0 — 16.4.6 · 16.5.0 — 16.10.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References