Cyber Resilience

CVE-2025-51991

HighPublic PoCRCE

Published: 20 August 2025

Published
20 August 2025
Modified
11 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0365 88.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-51991 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

XWiki through version 17.3.0 contains a server-side template injection vulnerability in its Administration interface, specifically the HTTP Meta Info field within the Global Preferences Presentation section. The flaw stems from insufficient validation or sandboxing of user-supplied Apache Velocity template code during dynamic rendering of configuration fields, allowing arbitrary template logic to execute on the server. It is tracked under CWE-79 and CWE-94 with a CVSS 3.1 score of 8.8.

An authenticated administrator can supply crafted template expressions that execute without restriction, potentially disclosing internal server details or, depending on the deployment configuration, enabling remote code execution and sensitive data exposure. The attack requires no user interaction beyond administrative access and can be performed over the network.

The associated EPSS score remains flat at 0.0365 with no observed rise after disclosure, and no information on real-world exploitation or available patches is provided in the source data.

EU & UK References

Vulnerability details

XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is…

more

rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Why these techniques?

CVE-2025-51991 is a Server-Side Template Injection (SSTI) vulnerability via Apache Velocity in the XWiki Administration interface's HTTP Meta Info field, directly enabling T1221: Template Injection for arbitrary template logic execution, potentially leading to RCE or information disclosure.

CVEs Like This One

CVE-2026-33229Same product: Xwiki Xwiki
CVE-2025-53836Same product: Xwiki Xwiki
CVE-2025-53835Same product: Xwiki Xwiki
CVE-2025-24893Same product: Xwiki Xwiki
CVE-2025-32429Same product: Xwiki Xwiki
CVE-2025-55747Same product: Xwiki Xwiki
CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-29924Same product: Xwiki Xwiki
CVE-2025-23025Same product: Xwiki Xwiki
CVE-2025-29926Same product: Xwiki Xwiki

Affected Assets

xwiki
xwiki
≤ 17.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation and sanitization of user-supplied inputs, directly preventing SSTI by blocking malicious Apache Velocity templates in the HTTP Meta Info field.

prevent

SI-2 ensures timely patching and remediation of flaws, such as upgrading XWiki beyond version 17.3.0 to fix the improper template rendering vulnerability.

prevent

AC-6 enforces least privilege, limiting the number of authenticated administrators able to access and exploit the vulnerable Administration interface.

References