Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.
AnalysisAI
Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.
Technical ContextAI
XWiki is a Java-based collaborative wiki platform that processes wiki markup and supports Velocity template engine for dynamic content. The vulnerability exists in the XWiki.Notifications.Code.NotificationDisplayerClass object property handling. When this object is created by a user without script rights and contains malicious Velocity code or HTML payloads, the content is not properly sanitized or validated before being output during admin document editing. The root cause is CWE-357 (Insufficient UI Warning for Dangerous Operations), where the system failed to warn administrators about potentially dangerous content before processing user-created objects. While Velocity code execution itself is legitimate, the lack of pre-edit warnings before XWiki 15.9 meant admins had no mechanism to identify and reject suspicious content. The fix introduces a 'required rights analyzer' that validates script permissions on the object properties before allowing admin edits.
RemediationAI
Immediate patch versions: upgrade to XWiki 15.10.16, 16.4.7, or 16.10.2 or later depending on current version branch. For users unable to immediately patch: (1) Restrict document creation/editing rights to trusted users only via XWiki permission system; (2) Disable the Notifications application if not critical; (3) Implement admin review procedures that treat any NotificationDisplayerClass objects with heightened suspicion, avoiding save operations on documents containing such objects until patched; (4) Monitor document edit logs for unprivileged users creating documents with class objects; (5) Use XWiki's built-in content security policies if available to restrict HTML output in notification contexts. For versions 15.9+, the warning system provides some defense-in-depth but should not be relied upon as sole mitigation. Vendor advisories and patches are available from the XWiki Security Advisory page.
XWiki Platform allows unauthenticated remote code execution through the SolrSearch endpoint, enabling guests to execute
XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the u
XWiki is a generic wiki platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical
XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl
XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical
XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl
A remote code execution vulnerability in XWiki (CVSS 8.8). Risk factors: public PoC available. Vendor patch is available
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical
XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18296
GHSA-j7p2-87q3-44w7