Cyber Resilience

CVE-2025-55727

CriticalPublic PoCRCE

Published: 09 September 2025

Published
09 September 2025
Modified
17 September 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0818 92.4th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55727 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Pro Macros. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

XWiki Remote Macros, a set of rendering macros for migrating content from Confluence, contains an input sanitization flaw in the column macro. Starting with version 1.0 and prior to 1.26.5, the width parameter is inserted unescaped into generated XWiki syntax, enabling syntax injection. The affected component is the Column.xml macro implementation, which is installed with programming rights in many deployments and therefore exposes the full XWiki execution context.

An attacker who can edit any wiki page or invoke the CKEditor converter can supply a malicious width value. When the macro subsequently renders, the injected syntax executes either as remote code (if the macro was installed by a user holding programming rights) or as Velocity code under the wiki administrator account, resulting in arbitrary code execution on the server.

The project security advisory and the patch released in version 1.26.5 address the issue by properly escaping the width parameter before it is used in XWiki syntax; administrators are advised to upgrade immediately and to audit any custom macros that accept untrusted parameters.

The EPSS score rose from a low baseline to a peak of 0.1908 on 2026-01-13 before receding, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the width parameter in the column macro allows remote code execution for any…

more

user who can edit any page or who can access the CKEditor converter. The width parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution when the macro has been installed by a user with programming right, or it at least allows executing Velocity code as the wiki admin. Version 1.26.5 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE in public-facing XWiki web app via unsanitized macro parameter injection (CWE-94/95).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-55728Same product: Xwiki Pro Macros
CVE-2025-65036Same product: Xwiki Pro Macros
CVE-2025-24893Same vendor: Xwiki
CVE-2025-66474Same vendor: Xwiki
CVE-2025-29924Same vendor: Xwiki
CVE-2025-29926Same vendor: Xwiki
CVE-2025-54385Same vendor: Xwiki
CVE-2025-32429Same vendor: Xwiki
CVE-2025-53836Same vendor: Xwiki
CVE-2025-55747Same vendor: Xwiki

Affected Assets

xwiki
pro macros
1.0 — 1.26.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching to version 1.26.5 or later, which escapes the width parameter to prevent XWiki syntax injection and RCE.

prevent

Requires validation and sanitization of the width parameter input to block malicious XWiki syntax injection in the column macro.

prevent

Mandates output filtering and escaping of the untrusted width parameter when generating XWiki syntax to prevent code injection and execution.

References