What is the CVSS score of CVE-2025-49586?

CVE-2025-49586 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 4.6%.

Which versions of Xwiki are affected by CVE-2025-49586?

Any XWiki user with basic editing permissions can escalate privileges to gain complete system control and execute arbitrary code on affected servers.. A patch is available.

Is there a public PoC exploit available for CVE-2025-49586?

Yes, a public proof-of-concept exploit is available for CVE-2025-49586. Prioritise patching immediately. EPSS: 4.6%.

How to fix or mitigate CVE-2025-49586?

Within 24 hours: inventory all XWiki instances across the organization and identify version numbers; restrict editing permissions on App Within Minutes applications to trusted administrators only. Within 7 days: apply vendor patches (versions 17.0.0, 16.4.7, or 16.10.3) to all affected instances; test patches in non-production environments first. Within 30 days: complete patching of all XWiki deployments and restore normal user permissions after validation.

Xwiki CVE-2025-49586

EUVD-2025-18297 HIGH

Incorrect Authorization (CWE-863)

2025-06-13 security-advisories@github.com

GHSA-jp4x-w9cj-97q7

RCE Xwiki

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18297

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

Patch released

Mar 14, 2026 - 21:34 nvd

Patch available

PoC Detected

Sep 03, 2025 - 17:47 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 18:15 nvd

HIGH 8.8

DescriptionNVD

XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.

AnalysisAI

A remote code execution vulnerability in XWiki (CVSS 8.8). Risk factors: public PoC available. Vendor patch is available.

Technical ContextAI

CWE-863 (Incorrect Authorization). CVSS 8.8 indicates high severity. Affects XWiki.

RemediationAI

Apply the vendor-supplied patch immediately.

CVE-2025-49586 vulnerability details – vuln.today

Back

Xwiki CVE-2025-49586

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code