CVE-2025-55727
Published: 09 September 2025
Summary
CVE-2025-55727 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Pro Macros. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
XWiki Remote Macros, a set of rendering macros for migrating content from Confluence, contains an input sanitization flaw in the column macro. Starting with version 1.0 and prior to 1.26.5, the width parameter is inserted unescaped into generated XWiki syntax, enabling syntax injection. The affected component is the Column.xml macro implementation, which is installed with programming rights in many deployments and therefore exposes the full XWiki execution context.
An attacker who can edit any wiki page or invoke the CKEditor converter can supply a malicious width value. When the macro subsequently renders, the injected syntax executes either as remote code (if the macro was installed by a user holding programming rights) or as Velocity code under the wiki administrator account, resulting in arbitrary code execution on the server.
The project security advisory and the patch released in version 1.26.5 address the issue by properly escaping the width parameter before it is used in XWiki syntax; administrators are advised to upgrade immediately and to audit any custom macros that accept untrusted parameters.
The EPSS score rose from a low baseline to a peak of 0.1908 on 2026-01-13 before receding, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27462
Vulnerability details
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the width parameter in the column macro allows remote code execution for any…
more
user who can edit any page or who can access the CKEditor converter. The width parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution when the macro has been installed by a user with programming right, or it at least allows executing Velocity code as the wiki admin. Version 1.26.5 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE in public-facing XWiki web app via unsanitized macro parameter injection (CWE-94/95).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely patching to version 1.26.5 or later, which escapes the width parameter to prevent XWiki syntax injection and RCE.
Requires validation and sanitization of the width parameter input to block malicious XWiki syntax injection in the column macro.
Mandates output filtering and escaping of the untrusted width parameter when generating XWiki syntax to prevent code injection and execution.