How to fix CVE-2025-49584?

Within 24 hours: Inventory all XWiki instances and their current versions. Within 7 days: Apply vendor patches (16.4.7, 16.10.3, or 17.0.0) to all affected systems. Within 30 days: Conduct a security audit to determine if page titles were accessed through this vulnerability and assess whether naming strategy changes are needed.

Is Xwiki affected by CVE-2025-49584?

XWiki installations are vulnerable to unauthorized disclosure of page titles through the REST API, potentially exposing sensitive information if page names have been intentionally obscured.

CVE-2025-49584

EUVD-2025-18305 HIGH

2025-06-13 [email protected]

GHSA-mvp5-qx9c-c3fv

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18305

Patch Released

Mar 14, 2026 - 21:34 nvd

Patch available

PoC Detected

Sep 03, 2025 - 17:48 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 18:15 nvd

HIGH 7.5

Description

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page.

Analysis

A security vulnerability in XWiki Platform (CVSS 7.5) that allows an attacker. Risk factors: public PoC available. Vendor patch is available.

Technical Context

CWE-201 (Information Exposure via Sent Data). CVSS 7.5 indicates high severity. Affects XWiki Platform.

Affected Products

['XWiki Platform']

Remediation

Apply the vendor-supplied patch immediately.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: +20

CVE-2025-49584 vulnerability details – vuln.today

Back

CVE-2025-49584

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-49584

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code