CVE-2025-55729
Published: 09 September 2025
Summary
CVE-2025-55729 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Xwiki (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
XWiki Remote Macros, a set of rendering macros for migrating content from Confluence, contains an improper output escaping flaw in the ConfluenceLayoutSection macro. The ac:type parameter, specifically through its classes value, is inserted unescaped into XWiki syntax, enabling syntax injection. The issue affects all versions from 1.0 through 1.26.4 and carries a CVSS 3.1 score of 10.0 under CWE-116.
Any authenticated user able to edit a page can supply a malicious ac:type value that executes arbitrary XWiki script, resulting in remote code execution on the server with no further user interaction required. The attack is fully remote and requires only page-edit rights rather than administrative privileges.
The project security advisory GHSA-22xj-jpjg-gpgw and the linked commit 06e6cf3 document the root cause in ConfluenceLayoutSection.xml and confirm that version 1.26.5 contains the corrective escaping changes; the associated XWIKI-20449 Jira entry tracks the same remediation.
EPSS remains flat at 0.0117 with no material increase after disclosure, and no public evidence of in-the-wild exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27429
Vulnerability details
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user…
more
who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated XWiki syntax injection leading to arbitrary server-side code execution directly maps to public-facing app exploitation (T1190) and command/scripting interpreter usage (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the vulnerability by requiring timely remediation through upgrading to version 1.26.5, which fixes the missing escaping in the ConfluenceLayoutSection macro.
Mandates validation of user-supplied parameters like ac:type and classes to block XWiki syntax injection leading to remote code execution.
Limits system functionality by disabling unnecessary macros such as ConfluenceLayoutSection when not required for Confluence migration, reducing the attack surface.