How to fix CVE-2025-49585?

Within 24 hours: Identify all XWiki instances in your environment and determine which versions are running. Within 7 days: Apply vendor patches (15.10.16, 16.4.7, or 16.10.2 depending on version) to all affected XWiki deployments. Within 30 days: Conduct a security audit of existing XClass definitions created by non-privileged users to identify any suspicious modifications, and implement document change logging review procedures.

Is Xwiki affected by CVE-2025-49585?

XWiki instances are vulnerable to privilege escalation attacks where users with basic edit rights can inject malicious code that executes with elevated privileges when edited by administrators or privileged users.

CVE-2025-49585

EUVD-2025-18299 HIGH

2025-06-13 [email protected]

GHSA-59w6-r9hm-439h

8.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18299

Patch Released

Mar 14, 2026 - 21:34 nvd

Patch available

PoC Detected

Sep 03, 2025 - 17:47 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 18:15 nvd

HIGH 8.0

Description

XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

Analysis

A security vulnerability in versions (CVSS 8.0). Risk factors: public PoC available. Vendor patch is available.

Technical Context

Vulnerability type not specified by vendor. CVSS 8.0 indicates high severity. Affects versions.

Affected Products

['versions']

Remediation

Apply the vendor-supplied patch immediately.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +40

POC: +20

CVE-2025-49585 vulnerability details – vuln.today

Back

CVE-2025-49585

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-49585

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code