How to fix CVE-2025-32974?

Within 24 hours: Identify all affected systems running versions starting from 15.9-rc-1 to and apply vendor patches immediately. Vendor patch is available.

Is Xwiki affected by CVE-2025-32974?

Organizations using versions starting from 15.9-rc-1 to face critical risk from CVE-2025-32974 rated CVSS 9.0. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems.

CVE-2025-32974

CRITICAL

2025-04-30 [email protected]

9.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:39 vuln.today

Patch Released

Mar 28, 2026 - 18:39 nvd

Patch available

CVE Published

Apr 30, 2025 - 15:16 nvd

CRITICAL 9.0

Description

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.

Analysis

XWiki is a generic wiki platform. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.

Technical Context

This vulnerability is classified under CWE-116. XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0. Affected products include: Xwiki. Version information: before 15.10.8.

Affected Products

Xwiki.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +1.4

CVSS: +45

POC: 0

CVE-2025-32974 vulnerability details – vuln.today

Back

CVE-2025-32974

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-32974

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code