Cyber Posture

CVE-2025-53836

CriticalPublic PoCRCE

Published: 15 July 2025

Published
15 July 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0550 90.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53836 is a critical-severity Code Injection (CWE-94) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the vulnerability by applying patches to XWiki Rendering versions 13.10.11, 14.4.7, or 14.10 that fix the failure to preserve restricted context in nested macros.

SI-10 Information Input Validation good match
prevent

Validates textual inputs in wiki syntax or HTML to block malicious nested macros that bypass restricted mode and execute forbidden script macros.

AC-6 Least Privilege partial match
prevent

Enforces principle of least privilege by disabling comments or edit rights for untrusted users as a workaround to prevent exploitation via low-privilege inputs.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables low-privileged users (e.g., comment rights) to bypass restricted macro execution and achieve RCE via nested macros like Groovy in comments on the public-facing XWiki application, facilitating exploitation of public-facing applications and exploitation for privilege escalation.

NVD Description

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content…

more

parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.

Deeper analysisAI

CVE-2025-53836 affects XWiki Rendering, a generic rendering system that converts textual input in syntaxes like wiki syntax or HTML into outputs such as XHTML. The vulnerability exists in versions starting from 4.2-milestone-1 and prior to 13.10.11, 14.4.7, and 14.10. It stems from the default macro content parser failing to preserve the restricted attribute of the transformation context when executing nested macros. This allows execution of macros normally forbidden in restricted mode, particularly script macros. The bundled cache and chart macros exploit this feature.

Attackers require low privileges (PR:L) to exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and changed scope (S:C), yielding high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) for a CVSS v3.1 base score of 9.9. Exploitation involves providing malicious input via comments or editable content that triggers nested macros, bypassing restrictions to execute arbitrary script macros (CWE-94: improper control of generation of code of code 'code' mechanisms in software, CWE-863: incorrect authorization).

Patches address the issue in XWiki Rendering versions 13.10.11, 14.4.7, and 14.10, as detailed in the fixing commit at https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d and GitHub security advisory GHSA-32mf-57h2-64x9 (https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9). Related JIRA tickets include XRENDERING-689 (https://jira.xwiki.org/browse/XRENDERING-689) and XWIKI-20375 (https://jira.xwiki.org/browse/XWIKI-20375). As a workaround, disable comments for untrusted users pending upgrade, though users with edit rights can still add comments via the object editor.

Details

CWE(s)
CWE-94CWE-863

Affected Products

xwiki
xwiki
4.2 · 4.3 — 13.10.11 · 14.0 — 14.4.7 · 14.5 — 14.10

CVEs Like This One

CVE-2025-29924Same product: Xwiki Xwiki
CVE-2025-24893Same product: Xwiki Xwiki
CVE-2026-33229Same product: Xwiki Xwiki
CVE-2025-32429Same product: Xwiki Xwiki
CVE-2025-23025Same product: Xwiki Xwiki
CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-29926Same product: Xwiki Xwiki
CVE-2025-51991Same product: Xwiki Xwiki
CVE-2025-55747Same product: Xwiki Xwiki
CVE-2025-53835Same product: Xwiki Xwiki

References