CVE-2025-32972

LOW
2025-04-30 [email protected]
2.7
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:39 vuln.today
Patch Released
Mar 28, 2026 - 18:39 nvd
Patch available
CVE Published
Apr 30, 2025 - 15:16 nvd
LOW 2.7

Tags

Authentication Bypass Xwiki

Description

XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Analysis

XWiki is a generic wiki platform. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Technical Context

This vulnerability is classified under CWE-285. XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1. Affected products include: Xwiki. Version information: before 15.10.12.

Affected Products

Xwiki.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

14
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +14
POC: 0

Share

CVE-2025-32972 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy