Cyber Resilience

CVE-2025-55728

CriticalRCE

Published: 09 September 2025

Published
09 September 2025
Modified
17 September 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0400 88.7th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55728 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Pro Macros. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

XWiki Remote Macros, a set of rendering macros intended for Confluence-to-XWiki migrations, contains an injection vulnerability in the panel macro. Starting with version 1.0 and prior to 1.26.5, the classes parameter is incorporated into XWiki syntax without escaping, enabling syntax injection that leads to remote code execution. The flaw is tracked under CWE-95 and CWE-94 and carries a CVSS 3.1 score of 10.0.

Any user able to edit a page can supply a malicious classes value and obtain arbitrary code execution on the server with no additional authentication or user interaction required. Successful exploitation grants full confidentiality, integrity, and availability impact across the affected XWiki instance.

The project security advisory and accompanying commit in version 1.26.5 address the issue by properly escaping the parameter; administrators are advised to upgrade immediately. The referenced GitHub advisory and XWiki Jira entry provide the patch details and upgrade guidance.

EPSS for the CVE rose from a low baseline to a peak of 0.2004 on 2026-01-13 before receding to the current value of 0.0400, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any…

more

user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing input escaping in public-facing XWiki macro directly enables unauthenticated remote code execution via syntax injection in a web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-55727Same product: Xwiki Pro Macros
CVE-2025-65036Same product: Xwiki Pro Macros
CVE-2025-24893Same vendor: Xwiki
CVE-2025-66474Same vendor: Xwiki
CVE-2025-29924Same vendor: Xwiki
CVE-2025-29926Same vendor: Xwiki
CVE-2025-54385Same vendor: Xwiki
CVE-2025-32429Same vendor: Xwiki
CVE-2025-53836Same vendor: Xwiki
CVE-2025-55747Same vendor: Xwiki

Affected Assets

xwiki
pro macros
1.0 — 1.26.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the unescaped 'classes' parameter to prevent XWiki syntax injection and subsequent RCE.

prevent

Mandates filtering and escaping of the 'classes' parameter when rendered in XWiki syntax to block code injection attacks.

prevent

Ensures timely remediation by patching the XWiki Remote Macros extension to version 1.26.5 or later, which fixes the escaping vulnerability.

References