CVE-2025-65036
Published: 05 December 2025
Summary
CVE-2025-65036 is a high-severity Missing Authorization (CWE-862) vulnerability in Xwiki Pro Macros. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations before executing Velocity code from details pages, directly addressing the missing permission checks that enable RCE.
Remediates the specific flaw by timely patching to XWiki Remote Macros version 1.27.1, which adds the required permission checks.
Applies least privilege to restrict low-privilege users from executing arbitrary Velocity code, limiting the vulnerability's exploitation scope.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via exploitation of a public-facing web application (XWiki) through missing authorization in Remote Macros, directly mapping to T1190. It specifically involves server-side template injection with Velocity code execution, mapping to T1221.
NVD Description
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is…
more
fixed in 1.27.1.
Deeper analysisAI
CVE-2025-65036 affects XWiki Remote Macros, a component that provides XWiki rendering macros for migrating content from Confluence. In versions prior to 1.27.1, the macro executes Velocity code from details pages without performing permission checks, enabling remote code execution. The vulnerability is associated with CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for significant impact.
An attacker with low-privilege access, such as a registered user on the XWiki instance, can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious content in details pages, the attacker can trigger unauthorized Velocity execution, achieving remote code execution on the server. This grants high confidentiality and integrity impacts, with low availability disruption, allowing data exfiltration, modification, or other server-side actions.
The vulnerability is addressed in XWiki Remote Macros version 1.27.1, which introduces proper permission checks to prevent unauthorized Velocity execution. Security practitioners should update to this version immediately. Additional details are available in the GitHub Security Advisory at https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f.
Details
- CWE(s)