CVE-2025-55730
Published: 09 September 2025
Summary
CVE-2025-55730 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Xwiki (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
XWiki Remote Macros, a set of rendering macros intended for Confluence-to-XWiki migrations, contains an improper input sanitization flaw in the Confluence paste code macro. The vulnerability, present from version 1.0 through 1.26.4, stems from the title parameter (specifically the classes value) being interpolated directly into XWiki syntax without escaping, enabling syntax injection that leads to remote code execution.
Any authenticated user with permission to edit a page can trigger the flaw by supplying a malicious title value in the macro, resulting in arbitrary code execution on the server with the privileges of the XWiki process. The issue carries a CVSS 3.1 score of 10.0, reflecting network-accessible, low-complexity exploitation that affects confidentiality, integrity, and availability across the entire instance.
The project security advisory GHSA-5w8v-h22g-j2mp and the linked commit document the fix released in version 1.26.5, which adds proper escaping to the affected parameter. The associated Jira ticket XWIKI-20449 tracks the remediation.
EPSS remains flat at a low value of 0.0117 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27427
Vulnerability details
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for…
more
any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unsanitized XWiki syntax injection in a public-facing wiki macro, matching exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the XWiki Remote Macros extension to version 1.26.5, which fixes the improper escaping of the classes parameter leading to XWiki syntax injection and RCE.
Mandates validation of user-supplied inputs like the classes parameter in the Confluence Paste Code Macro to block malicious XWiki syntax injection.
Enforces filtering and proper encoding of outputs, such as the unescaped title/classes parameter inserted into XWiki syntax, to prevent injection attacks.