Cyber Resilience

CVE-2025-55729

Critical

Published: 09 September 2025

Published
09 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0117 79.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55729 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Xwiki (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

XWiki Remote Macros, a set of rendering macros for migrating content from Confluence, contains an improper output escaping flaw in the ConfluenceLayoutSection macro. The ac:type parameter, specifically through its classes value, is inserted unescaped into XWiki syntax, enabling syntax injection. The issue affects all versions from 1.0 through 1.26.4 and carries a CVSS 3.1 score of 10.0 under CWE-116.

Any authenticated user able to edit a page can supply a malicious ac:type value that executes arbitrary XWiki script, resulting in remote code execution on the server with no further user interaction required. The attack is fully remote and requires only page-edit rights rather than administrative privileges.

The project security advisory GHSA-22xj-jpjg-gpgw and the linked commit 06e6cf3 document the root cause in ConfluenceLayoutSection.xml and confirm that version 1.26.5 contains the corrective escaping changes; the associated XWIKI-20449 Jira entry tracks the same remediation.

EPSS remains flat at 0.0117 with no material increase after disclosure, and no public evidence of in-the-wild exploitation has been reported.

EU & UK References

Vulnerability details

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user…

more

who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated XWiki syntax injection leading to arbitrary server-side code execution directly maps to public-facing app exploitation (T1190) and command/scripting interpreter usage (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34483Shared CWE-116
CVE-2024-10441Shared CWE-116
CVE-2025-55730Shared CWE-116
CVE-2026-24737Shared CWE-116
CVE-2025-15312Shared CWE-116
CVE-2026-34480Shared CWE-116
CVE-2025-40547Shared CWE-116
CVE-2026-32811Shared CWE-116
CVE-2026-33301Shared CWE-116
CVE-2026-33597Shared CWE-116

Affected Assets

Xwiki
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely remediation through upgrading to version 1.26.5, which fixes the missing escaping in the ConfluenceLayoutSection macro.

prevent

Mandates validation of user-supplied parameters like ac:type and classes to block XWiki syntax injection leading to remote code execution.

prevent

Limits system functionality by disabling unnecessary macros such as ConfluenceLayoutSection when not required for Confluence migration, reducing the attack surface.

References