CVE-2025-66474

HighPublic PoCRCE

Published: 10 December 2025

Published

10 December 2025

Modified

19 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0064 70.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66474 is a high-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki-Rendering. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through patching directly fixes the insufficient {{/html}} injection protection in XWiki Rendering, preventing RCE via script macros.

SI-10 Information Input Validation good match

prevent

Information input validation neutralizes malicious wiki syntax and HTML inputs, blocking injection of executable Groovy and Python macros during rendering.

AC-6 Least Privilege partial match

prevent

Least privilege restricts document and profile edit permissions to essential users only, limiting the attack surface for low-privileged authenticated exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability is an HTML injection in a public-facing web application (XWiki Rendering) exploitable by low-privileged authenticated users (T1190), leading to arbitrary macro/script execution (Groovy/Python) for server RCE, enabling privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}}…

injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1.

Deeper analysisAI

CVE-2025-66474 is an insufficient protection against {{/html}} injection vulnerability in XWiki Rendering, a generic rendering system that converts textual input from syntaxes like wiki syntax or HTML into formats such as XHTML. The flaw affects XWiki Rendering versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0. It is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Improper Control of Generation of Code).

Any authenticated user with permission to edit their own profile or any other document can exploit this vulnerability over the network with low complexity. Successful exploitation allows execution of arbitrary script macros, such as Groovy and Python, leading to remote code execution on the server as well as unrestricted read and write access to all wiki contents.

The issue is fixed in XWiki Rendering versions 16.10.10, 17.4.3, and 17.6.0-rc-1, as detailed in the project's GitHub commits, security advisory (GHSA-9xc6-c2rm-f27p), and Jira tickets XRENDERING-693 and XRENDERING-792. Security practitioners should prioritize upgrading affected instances to patched versions to mitigate the risk of RCE.

Details

CWE(s): CWE-95 CWE-94

Affected Products

xwiki

xwiki-rendering

17.5.0 · ≤ 16.10.10 · 17.0.0 — 17.4.3

CVEs Like This One

CVE-2025-55728Same vendor: Xwiki

CVE-2025-24893Same vendor: Xwiki

CVE-2025-55727Same vendor: Xwiki

CVE-2025-53836Same vendor: Xwiki

CVE-2026-33229Same vendor: Xwiki

CVE-2025-29924Same vendor: Xwiki

CVE-2025-23025Same vendor: Xwiki

CVE-2025-32429Same vendor: Xwiki

CVE-2025-29926Same vendor: Xwiki

CVE-2025-54385Same vendor: Xwiki

References

https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11
Patch · security-advisories@github.com
https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49
Patch · security-advisories@github.com
https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p
Patch, Vendor Advisory · security-advisories@github.com
https://jira.xwiki.org/browse/XRENDERING-693
Exploit, Patch, Vendor Advisory · security-advisories@github.com
https://jira.xwiki.org/browse/XRENDERING-792
Exploit, Patch, Vendor Advisory · security-advisories@github.com
https://jira.xwiki.org/browse/XRENDERING-793
Exploit, Patch, Vendor Advisory · security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-23378
Patch, Vendor Advisory · security-advisories@github.com
https://jira.xwiki.org/browse/XRENDERING-693
Exploit, Patch, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://jira.xwiki.org/browse/XRENDERING-792
Exploit, Patch, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://jira.xwiki.org/browse/XRENDERING-793
Exploit, Patch, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0