Cyber Resilience

CVE-2025-55730

Critical

Published: 09 September 2025

Published
09 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0117 79.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55730 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Xwiki (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

XWiki Remote Macros, a set of rendering macros intended for Confluence-to-XWiki migrations, contains an improper input sanitization flaw in the Confluence paste code macro. The vulnerability, present from version 1.0 through 1.26.4, stems from the title parameter (specifically the classes value) being interpolated directly into XWiki syntax without escaping, enabling syntax injection that leads to remote code execution.

Any authenticated user with permission to edit a page can trigger the flaw by supplying a malicious title value in the macro, resulting in arbitrary code execution on the server with the privileges of the XWiki process. The issue carries a CVSS 3.1 score of 10.0, reflecting network-accessible, low-complexity exploitation that affects confidentiality, integrity, and availability across the entire instance.

The project security advisory GHSA-5w8v-h22g-j2mp and the linked commit document the fix released in version 1.26.5, which adds proper escaping to the affected parameter. The associated Jira ticket XWIKI-20449 tracks the remediation.

EPSS remains flat at a low value of 0.0117 with no observed increase after disclosure.

EU & UK References

Vulnerability details

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for…

more

any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via unsanitized XWiki syntax injection in a public-facing wiki macro, matching exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34483Shared CWE-116
CVE-2024-10441Shared CWE-116
CVE-2026-24737Shared CWE-116
CVE-2026-32811Shared CWE-116
CVE-2025-55729Shared CWE-116
CVE-2026-43939Shared CWE-116
CVE-2025-56266Shared CWE-116
CVE-2026-43938Shared CWE-116
CVE-2025-27109Shared CWE-116
CVE-2025-27108Shared CWE-116

Affected Assets

Xwiki
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the XWiki Remote Macros extension to version 1.26.5, which fixes the improper escaping of the classes parameter leading to XWiki syntax injection and RCE.

prevent

Mandates validation of user-supplied inputs like the classes parameter in the Confluence Paste Code Macro to block malicious XWiki syntax injection.

prevent

Enforces filtering and proper encoding of outputs, such as the unescaped title/classes parameter inserted into XWiki syntax, to prevent injection attacks.

References