What is the CVSS score of CVE-2025-49584?

CVE-2025-49584 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Xwiki are affected by CVE-2025-49584?

XWiki installations are vulnerable to unauthorized disclosure of page titles through the REST API, potentially exposing sensitive information if page names have been intentionally obscured.. A patch is available.

Is there a public PoC exploit available for CVE-2025-49584?

Yes, a public proof-of-concept exploit is available for CVE-2025-49584. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-49584?

Within 24 hours: Inventory all XWiki instances and their current versions. Within 7 days: Apply vendor patches (16.4.7, 16.10.3, or 17.0.0) to all affected systems. Within 30 days: Conduct a security audit to determine if page titles were accessed through this vulnerability and assess whether naming strategy changes are needed.

Xwiki CVE-2025-49584

EUVD-2025-18305 HIGH

Insertion of Sensitive Information Into Sent Data (CWE-201)

2025-06-13 security-advisories@github.com

GHSA-mvp5-qx9c-c3fv

Information Disclosure Xwiki

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18305

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

Patch released

Mar 14, 2026 - 21:34 nvd

Patch available

PoC Detected

Sep 03, 2025 - 17:48 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 18:15 nvd

HIGH 7.5

DescriptionNVD

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page.

AnalysisAI

A security vulnerability in XWiki Platform (CVSS 7.5) that allows an attacker. Risk factors: public PoC available. Vendor patch is available.

Technical ContextAI

CWE-201 (Information Exposure via Sent Data). CVSS 7.5 indicates high severity. Affects XWiki Platform.

RemediationAI

Apply the vendor-supplied patch immediately.

CVE-2025-49584 vulnerability details – vuln.today

Back

Xwiki CVE-2025-49584

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code