How to fix CVE-2025-49587?

Within 24 hours: Audit XWiki instances for versions 15.9 and earlier, and identify which are running affected versions (15.x before 15.10.16, 16.x before 16.4.7, or 16.10.x before 16.10.2). Within 7 days: Apply available patches to all XWiki instances (upgrade to 15.10.16, 16.4.7, 16.10.2 or later). Within 30 days: Review and document any documents with NotificationDisplayerClass objects created by non-admin users as potential indicators of compromise.

Is Xwiki affected by CVE-2025-49587?

XWiki installations are vulnerable to cross-site scripting (XSS) attacks when administrators edit documents containing malicious notification objects created by unprivileged users.

CVE-2025-49587

EUVD-2025-18296 HIGH

2025-06-13 [email protected]

GHSA-j7p2-87q3-44w7

8.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18296

Patch Released

Mar 14, 2026 - 21:34 nvd

Patch available

PoC Detected

Sep 03, 2025 - 17:44 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 18:15 nvd

HIGH 8.0

Description

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

Analysis

Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.

Technical Context

XWiki is a Java-based collaborative wiki platform that processes wiki markup and supports Velocity template engine for dynamic content. The vulnerability exists in the XWiki.Notifications.Code.NotificationDisplayerClass object property handling. When this object is created by a user without script rights and contains malicious Velocity code or HTML payloads, the content is not properly sanitized or validated before being output during admin document editing. The root cause is CWE-357 (Insufficient UI Warning for Dangerous Operations), where the system failed to warn administrators about potentially dangerous content before processing user-created objects. While Velocity code execution itself is legitimate, the lack of pre-edit warnings before XWiki 15.9 meant admins had no mechanism to identify and reject suspicious content. The fix introduces a 'required rights analyzer' that validates script permissions on the object properties before allowing admin edits.

Affected Products

XWiki versions prior to: 15.10.16, 16.4.7, and 16.10.2. Affected products and versions include: XWiki Community 15.0 through 15.10.15, XWiki Community 16.0 through 16.4.6, XWiki Community 16.5 through 16.10.1. The vulnerability specifically affects instances where: (1) unprivileged users can create/edit documents, (2) documents contain XWiki.Notifications.Code.NotificationDisplayerClass objects, and (3) administrators access and modify those documents. Enterprise variants (XWiki Enterprise) with the same version numbers are similarly affected. Configuration risk is elevated in open-wiki or internal-collaboration deployments with mixed privilege levels.

Remediation

Immediate patch versions: upgrade to XWiki 15.10.16, 16.4.7, or 16.10.2 or later depending on current version branch. For users unable to immediately patch: (1) Restrict document creation/editing rights to trusted users only via XWiki permission system; (2) Disable the Notifications application if not critical; (3) Implement admin review procedures that treat any NotificationDisplayerClass objects with heightened suspicion, avoiding save operations on documents containing such objects until patched; (4) Monitor document edit logs for unprivileged users creating documents with class objects; (5) Use XWiki's built-in content security policies if available to restrict HTML output in notification contexts. For versions 15.9+, the warning system provides some defense-in-depth but should not be relied upon as sole mitigation. Vendor advisories and patches are available from the XWiki Security Advisory page.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +40

POC: +20

CVE-2025-49587 vulnerability details – vuln.today

Back

CVE-2025-49587

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-49587

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code