CVE-2025-51991
Published: 20 August 2025
Summary
CVE-2025-51991 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation and sanitization of user-supplied inputs, directly preventing SSTI by blocking malicious Apache Velocity templates in the HTTP Meta Info field.
SI-2 ensures timely patching and remediation of flaws, such as upgrading XWiki beyond version 17.3.0 to fix the improper template rendering vulnerability.
AC-6 enforces least privilege, limiting the number of authenticated administrators able to access and exploit the vulnerable Administration interface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-51991 is a Server-Side Template Injection (SSTI) vulnerability via Apache Velocity in the XWiki Administration interface's HTTP Meta Info field, directly enabling T1221: Template Injection for arbitrary template logic execution, potentially leading to RCE or information disclosure.
NVD Description
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is…
more
rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.
Deeper analysisAI
CVE-2025-51991 is a Server-Side Template Injection (SSTI) vulnerability affecting XWiki through version 17.3.0. The issue resides in the Administration interface, specifically the HTTP Meta Info field within the Global Preferences Presentation section, where user-supplied input is processed via Apache Velocity template rendering without proper validation or sandboxing. This improper handling of dynamic templates allows injection of crafted code, enabling execution of arbitrary template logic. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-79 (Cross-site Scripting) and CWE-94 (Code Injection).
An authenticated administrator can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious Apache Velocity templates into the affected field, the attacker can execute arbitrary template logic on the server side, potentially exposing internal server information. In specific configurations, this may escalate to remote code execution or sensitive data leakage.
Mitigation details and patches are referenced in advisories available at https://xwiki.org and the CVE writeup at https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md, published on 2025-08-20. Security practitioners should consult these sources for upgrade instructions and workaround guidance.
Details
- CWE(s)