CVE-2025-51991
Published: 20 August 2025
Summary
CVE-2025-51991 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
XWiki through version 17.3.0 contains a server-side template injection vulnerability in its Administration interface, specifically the HTTP Meta Info field within the Global Preferences Presentation section. The flaw stems from insufficient validation or sandboxing of user-supplied Apache Velocity template code during dynamic rendering of configuration fields, allowing arbitrary template logic to execute on the server. It is tracked under CWE-79 and CWE-94 with a CVSS 3.1 score of 8.8.
An authenticated administrator can supply crafted template expressions that execute without restriction, potentially disclosing internal server details or, depending on the deployment configuration, enabling remote code execution and sensitive data exposure. The attack requires no user interaction beyond administrative access and can be performed over the network.
The associated EPSS score remains flat at 0.0365 with no observed rise after disclosure, and no information on real-world exploitation or available patches is provided in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25310
Vulnerability details
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is…
more
rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-51991 is a Server-Side Template Injection (SSTI) vulnerability via Apache Velocity in the XWiki Administration interface's HTTP Meta Info field, directly enabling T1221: Template Injection for arbitrary template logic execution, potentially leading to RCE or information disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation and sanitization of user-supplied inputs, directly preventing SSTI by blocking malicious Apache Velocity templates in the HTTP Meta Info field.
SI-2 ensures timely patching and remediation of flaws, such as upgrading XWiki beyond version 17.3.0 to fix the improper template rendering vulnerability.
AC-6 enforces least privilege, limiting the number of authenticated administrators able to access and exploit the vulnerable Administration interface.