CVE-2025-32969
Published: 23 April 2025
Summary
CVE-2025-32969 is a critical-severity SQL Injection (CWE-89) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki is a generic wiki platform affected by a blind SQL injection vulnerability in versions from 1.8 through 15.10.15, 16.4.5, and 16.10.0. The flaw allows a remote unauthenticated attacker to escape the HQL execution context and inject arbitrary SQL statements against the database backend, bypassing the platform's options that restrict unregistered users from viewing or editing pages. The issue stems from insufficient sanitization in HQL query handling and is tracked as CWE-89.
An unauthenticated remote attacker can exploit the vulnerability over the network to execute SELECT queries that extract sensitive data such as password hashes, and on many database backends also run UPDATE, INSERT, or DELETE statements that alter or destroy content. The CVSS 4.0 score of 9.3 reflects the combination of network attack vector, low complexity, and high impact on confidentiality, integrity, and availability without any required privileges or user interaction.
The official XWiki security advisory and accompanying patches state that the issue is resolved in releases 15.10.16, 16.4.6, and 16.10.1; the project provides no workaround other than upgrading. A linked commit on the xwiki-platform repository and the corresponding Jira ticket document the code change that closes the HQL escape path.
EPSS for the CVE rose from a low baseline to a peak of 0.3140 on 2026-05-05 before receding to the current value of 0.1280, indicating measurable post-disclosure exploitation interest that later subsided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12170
Vulnerability details
XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to…
more
execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.