Cyber Resilience

CVE-2025-53836

CriticalPublic PoCRCE

Published: 15 July 2025

Published
15 July 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0550 90.4th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53836 is a critical-severity Code Injection (CWE-94) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

XWiki Rendering, the component responsible for converting textual input such as wiki syntax or HTML into output formats like XHTML, contains a flaw in its default macro content parser. Starting with version 4.2-milestone-1 and prior to the releases 13.10.11, 14.4.7, and 14.10, the parser fails to preserve the restricted attribute of the transformation context when processing nested macros. This defect affects the bundled cache and chart macros and is tracked under CWE-94 and CWE-863.

An authenticated attacker with low privileges can supply content that triggers nested macro execution, bypassing the restrictions that normally prevent script macros from running. Successful exploitation yields full control over the affected XWiki instance, enabling arbitrary code execution with impacts across confidentiality, integrity, and availability and with a changed scope, consistent with the CVSS 9.9 rating.

Security advisories and the associated patches direct administrators to upgrade to one of the fixed versions. As an interim step, comments can be disabled for untrusted users, although accounts possessing edit rights can still insert comments through the object editor.

The EPSS score has remained flat at 0.0550 with no observed rise after disclosure.

EU & UK References

Vulnerability details

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content…

more

parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables low-privileged users (e.g., comment rights) to bypass restricted macro execution and achieve RCE via nested macros like Groovy in comments on the public-facing XWiki application, facilitating exploitation of public-facing applications and exploitation for privilege escalation.

CVEs Like This One

CVE-2025-29924Same product: Xwiki Xwiki
CVE-2025-24893Same product: Xwiki Xwiki
CVE-2026-33229Same product: Xwiki Xwiki
CVE-2025-23025Same product: Xwiki Xwiki
CVE-2025-29926Same product: Xwiki Xwiki
CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-32429Same product: Xwiki Xwiki
CVE-2025-51991Same product: Xwiki Xwiki
CVE-2025-55747Same product: Xwiki Xwiki
CVE-2025-53835Same product: Xwiki Xwiki

Affected Assets

xwiki
xwiki
4.2 · 4.3 — 13.10.11 · 14.0 — 14.4.7 · 14.5 — 14.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the vulnerability by applying patches to XWiki Rendering versions 13.10.11, 14.4.7, or 14.10 that fix the failure to preserve restricted context in nested macros.

prevent

Validates textual inputs in wiki syntax or HTML to block malicious nested macros that bypass restricted mode and execute forbidden script macros.

prevent

Enforces principle of least privilege by disabling comments or edit rights for untrusted users as a workaround to prevent exploitation via low-privilege inputs.

References