CVE-2025-55728

CriticalRCE

Published: 09 September 2025

Published

09 September 2025

Modified

17 September 2025

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0400 88.5th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55728 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Pro Macros. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of the unescaped 'classes' parameter to prevent XWiki syntax injection and subsequent RCE.

SI-15 Information Output Filtering good match

prevent

Mandates filtering and escaping of the 'classes' parameter when rendered in XWiki syntax to block code injection attacks.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation by patching the XWiki Remote Macros extension to version 1.26.5 or later, which fixes the escaping vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Missing input escaping in public-facing XWiki macro directly enables unauthenticated remote code execution via syntax injection in a web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any…

user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue.

Deeper analysisAI

CVE-2025-55728 affects the XWiki Remote Macros extension, which provides XWiki rendering macros for migrating content from Confluence. The vulnerability stems from missing escaping of the "classes" parameter in the panel macro, enabling XWiki syntax injection. This issue impacts versions from 1.0 up to but not including 1.26.5, allowing remote code execution (RCE) via unescaped usage of the parameter in XWiki syntax. It is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Improper Control of Generation of Code), with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Any user with the ability to edit a page can remotely exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required. Successful exploitation changes the scope and grants high-impact confidentiality, integrity, and availability compromises through RCE on the affected XWiki instance.

Advisories and the patch details indicate that version 1.26.5 resolves the issue by addressing the escaping flaw, as documented in the GitHub security advisory GHSA-48f4-h726-74p5, the fixing commit, the vulnerable code location in Panel.xml, and XWiki Jira ticket XWIKI-20449. Security practitioners should upgrade to 1.26.5 or later to mitigate the risk.

Details

CWE(s): CWE-95 CWE-94

Affected Products

xwiki

pro macros

1.0 — 1.26.5

CVEs Like This One

CVE-2025-55727Same product: Xwiki Pro Macros

CVE-2025-65036Same product: Xwiki Pro Macros

CVE-2025-24893Same vendor: Xwiki

CVE-2025-66474Same vendor: Xwiki

CVE-2025-29924Same vendor: Xwiki

CVE-2025-32429Same vendor: Xwiki

CVE-2025-54385Same vendor: Xwiki

CVE-2025-29926Same vendor: Xwiki

CVE-2025-53836Same vendor: Xwiki

CVE-2025-55747Same vendor: Xwiki

References

https://github.com/xwikisas/xwiki-pro-macros/blob/93ac1a38c829e3ef787379b2b45eb043a573e5f7/xwiki-pro-macros-ui/src/main/resources/XWiki/Macros/Panel.xml#L554
Product · security-advisories@github.com
https://github.com/xwikisas/xwiki-pro-macros/commit/3ca815294bf54fc024b2363efbece7aa08b8efd5
Patch · security-advisories@github.com
https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-48f4-h726-74p5
Vendor Advisory · security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20449
Not Applicable · security-advisories@github.com
https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-48f4-h726-74p5
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://jira.xwiki.org/browse/XWIKI-20449
Not Applicable · 134c704f-9b21-4f2e-91b3-4a467353bcc0