Cyber Resilience

CVE-2025-49587

MediumPublic PoC

Published: 13 June 2025

Published
13 June 2025
Modified
03 September 2025
KEV Added
Patch
CVSS Score v4 6.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 70.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49587 is a medium-severity Insufficient UI Warning of Dangerous Operations (CWE-357) vulnerability in Xwiki Xwiki. Its CVSS base score is 6.4 (Medium).

Operationally, ranked in the top 29.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw…

more

HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
15.9 — 15.10.16 · 16.0.0 — 16.4.7 · 16.5.0 — 16.10.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References