Cyber Resilience

CVE-2025-49582

HighPublic PoC

Published: 13 June 2025

Published
13 June 2025
Modified
03 September 2025
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0131 80.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49582 is a high-severity Insufficient UI Warning of Dangerous Operations (CWE-357) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki is a generic wiki platform affected by an incomplete implementation of required rights analyzers introduced in version 15.9RC1. These analyzers are intended to warn users when editing pages that contain dangerous macros such as malicious script macros authored by lower-privileged users, but they fail to inspect non-lowercase macro parameters, titles and other parameters that can embed XWiki syntax, and the source parameters of the content and context macros.

An attacker with limited rights can therefore craft hidden malicious macros, including Groovy or Python script macros, inside a page. When a user possessing programming rights subsequently edits that page, the macros execute, resulting in remote code execution on the server.

The vulnerability is addressed in XWiki 16.4.7, 16.10.3, and 17.0.0 by hardening the required rights analyzers to cover the previously omitted cases; the corresponding fixes are documented in the referenced GitHub commits and the advisory GHSA-c32m-27pj-4xcj. The EPSS score has remained flat at 0.0131 with no material increase since disclosure.

EU & UK References

Vulnerability details

XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights…

more

analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren't analyzed at all. Similarly, the "source" parameters of the content and context macro weren't anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution. The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
17.0.0 · 15.9 — 16.4.7 · 16.5.0 — 16.10.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References