CVE-2025-55727
Published: 09 September 2025
Summary
CVE-2025-55727 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Pro Macros. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching to version 1.26.5 or later, which escapes the width parameter to prevent XWiki syntax injection and RCE.
Requires validation and sanitization of the width parameter input to block malicious XWiki syntax injection in the column macro.
Mandates output filtering and escaping of the untrusted width parameter when generating XWiki syntax to prevent code injection and execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE in public-facing XWiki web app via unsanitized macro parameter injection (CWE-94/95).
NVD Description
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the width parameter in the column macro allows remote code execution for any…
more
user who can edit any page or who can access the CKEditor converter. The width parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution when the macro has been installed by a user with programming right, or it at least allows executing Velocity code as the wiki admin. Version 1.26.5 contains a patch for the issue.
Deeper analysisAI
CVE-2025-55727 is a remote code execution vulnerability in the XWiki Remote Macros extension, which provides rendering macros for migrating content from Confluence to XWiki. The issue stems from missing escaping of the width parameter in the column macro, affecting versions 1.0 through 1.26.4. This flaw allows XWiki syntax injection because the parameter is inserted without proper sanitization, enabling attackers to inject malicious XWiki syntax. It is associated with CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Improper Control of Generation of Code), and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Any user who can edit a page or access the CKEditor converter can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation leads to remote code execution if the macro was installed by a user with programming rights; otherwise, it at minimum allows execution of Velocity code with wiki admin privileges, potentially granting full control over the affected XWiki instance.
The security advisory GHSA-hxqp-983c-m8h9 on GitHub details the vulnerability, with the patch applied in version 1.26.5 via commit 05651adb4b58d03ba862d5290c645feeffd2121b, which addresses the unescaped width parameter at line 438 in Column.xml. Administrators should upgrade to version 1.26.5 or later to mitigate the issue.
Details
- CWE(s)