Cyber Resilience

CVE-2025-32969

CriticalPublic PoC

Published: 23 April 2025

Published
23 April 2025
Modified
30 April 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1280 94.2th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32969 is a critical-severity SQL Injection (CWE-89) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki is a generic wiki platform affected by a blind SQL injection vulnerability in versions from 1.8 through 15.10.15, 16.4.5, and 16.10.0. The flaw allows a remote unauthenticated attacker to escape the HQL execution context and inject arbitrary SQL statements against the database backend, bypassing the platform's options that restrict unregistered users from viewing or editing pages. The issue stems from insufficient sanitization in HQL query handling and is tracked as CWE-89.

An unauthenticated remote attacker can exploit the vulnerability over the network to execute SELECT queries that extract sensitive data such as password hashes, and on many database backends also run UPDATE, INSERT, or DELETE statements that alter or destroy content. The CVSS 4.0 score of 9.3 reflects the combination of network attack vector, low complexity, and high impact on confidentiality, integrity, and availability without any required privileges or user interaction.

The official XWiki security advisory and accompanying patches state that the issue is resolved in releases 15.10.16, 16.4.6, and 16.10.1; the project provides no workaround other than upgrading. A linked commit on the xwiki-platform repository and the corresponding Jira ticket document the code change that closes the HQL escape path.

EPSS for the CVE rose from a low baseline to a peak of 0.3140 on 2026-05-05 before receding to the current value of 0.1280, indicating measurable post-disclosure exploitation interest that later subsided.

EU & UK References

Vulnerability details

XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to…

more

execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
1.8 — 15.10.16 · 16.0.0 — 16.4.6 · 16.5.0 — 16.10.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References