CVE-2025-55728
Published: 09 September 2025
Summary
CVE-2025-55728 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Pro Macros. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
XWiki Remote Macros, a set of rendering macros intended for Confluence-to-XWiki migrations, contains an injection vulnerability in the panel macro. Starting with version 1.0 and prior to 1.26.5, the classes parameter is incorporated into XWiki syntax without escaping, enabling syntax injection that leads to remote code execution. The flaw is tracked under CWE-95 and CWE-94 and carries a CVSS 3.1 score of 10.0.
Any user able to edit a page can supply a malicious classes value and obtain arbitrary code execution on the server with no additional authentication or user interaction required. Successful exploitation grants full confidentiality, integrity, and availability impact across the affected XWiki instance.
The project security advisory and accompanying commit in version 1.26.5 address the issue by properly escaping the parameter; administrators are advised to upgrade immediately. The referenced GitHub advisory and XWiki Jira entry provide the patch details and upgrade guidance.
EPSS for the CVE rose from a low baseline to a peak of 0.2004 on 2026-01-13 before receding to the current value of 0.0400, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27451
Vulnerability details
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any…
more
user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing input escaping in public-facing XWiki macro directly enables unauthenticated remote code execution via syntax injection in a web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the unescaped 'classes' parameter to prevent XWiki syntax injection and subsequent RCE.
Mandates filtering and escaping of the 'classes' parameter when rendered in XWiki syntax to block code injection attacks.
Ensures timely remediation by patching the XWiki Remote Macros extension to version 1.26.5 or later, which fixes the escaping vulnerability.