CVE-2025-53835
Published: 14 July 2025
Summary
CVE-2025-53835 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
XWiki Rendering versions 5.4.5 through 14.9 contain a stored cross-site scripting flaw in the XHTML syntax. The component depended on the xdom+xml/current syntax, which supports raw blocks that accept arbitrary HTML and JavaScript. This allows injection when a user edits any document, including the user profile page that is writable by default.
An authenticated attacker who can modify content can therefore execute scripts in other users' browsers with the privileges of the affected page. The CVSS 9.0 score reflects the combination of network attack vector, low complexity, and full impact on confidentiality, integrity, and availability when the attack succeeds.
The vulnerability was resolved in version 14.10 by removing the dependency on xdom+xml/current from the XHTML syntax. The xdom+xml syntax itself remains vulnerable and is explicitly discouraged for production use; the only recommended mitigation is to upgrade. Public references include the fixing commit, the GitHub Security Advisory GHSA-w3wh-g4m9-783p, and the XRENDERING-660 Jira entry.
The EPSS score has remained flat at 0.0385 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21399
Vulnerability details
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current`…
more
syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored XSS vulnerability (CWE-80) in XWiki Rendering allows low-privileged authenticated users to inject arbitrary JavaScript via editable documents (e.g., user profiles), exploiting the public-facing web application, executing JavaScript in victims' browsers upon viewing, and facilitating theft of web session cookies and browser credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Filters information output to web pages to prevent cross-site scripting attacks from arbitrary HTML and JavaScript insertion during XHTML rendering.
Requires timely remediation of flaws like the xdom+xml/current syntax dependency that enables raw blocks and XSS in XWiki Rendering.
Validates textual inputs to wiki documents and profiles to block malicious syntax exploitation leading to raw HTML/JS insertion.