What is the CVSS score of CVE-2025-49587?

CVE-2025-49587 has a CVSS 3.1 base score of 8.0 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Xwiki are affected by CVE-2025-49587?

XWiki installations are vulnerable to cross-site scripting (XSS) attacks when administrators edit documents containing malicious notification objects created by unprivileged users.. A patch is available.

Is there a public PoC exploit available for CVE-2025-49587?

Yes, a public proof-of-concept exploit is available for CVE-2025-49587. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2025-49587?

Within 24 hours: Audit XWiki instances for versions 15.9 and earlier, and identify which are running affected versions (15.x before 15.10.16, 16.x before 16.4.7, or 16.10.x before 16.10.2). Within 7 days: Apply available patches to all XWiki instances (upgrade to 15.10.16, 16.4.7, 16.10.2 or later). Within 30 days: Review and document any documents with NotificationDisplayerClass objects created by non-admin users as potential indicators of compromise.

Xwiki CVE-2025-49587

EUVD-2025-18296 HIGH

Insufficient UI Warning of Dangerous Operations (CWE-357)

2025-06-13 security-advisories@github.com

GHSA-j7p2-87q3-44w7

XSS Xwiki

8.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18296

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

Patch released

Mar 14, 2026 - 21:34 nvd

Patch available

PoC Detected

Sep 03, 2025 - 17:44 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 18:15 nvd

HIGH 8.0

DescriptionNVD

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

AnalysisAI

Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.

Technical ContextAI

XWiki is a Java-based collaborative wiki platform that processes wiki markup and supports Velocity template engine for dynamic content. The vulnerability exists in the XWiki.Notifications.Code.NotificationDisplayerClass object property handling. When this object is created by a user without script rights and contains malicious Velocity code or HTML payloads, the content is not properly sanitized or validated before being output during admin document editing. The root cause is CWE-357 (Insufficient UI Warning for Dangerous Operations), where the system failed to warn administrators about potentially dangerous content before processing user-created objects. While Velocity code execution itself is legitimate, the lack of pre-edit warnings before XWiki 15.9 meant admins had no mechanism to identify and reject suspicious content. The fix introduces a 'required rights analyzer' that validates script permissions on the object properties before allowing admin edits.

RemediationAI

Immediate patch versions: upgrade to XWiki 15.10.16, 16.4.7, or 16.10.2 or later depending on current version branch. For users unable to immediately patch: (1) Restrict document creation/editing rights to trusted users only via XWiki permission system; (2) Disable the Notifications application if not critical; (3) Implement admin review procedures that treat any NotificationDisplayerClass objects with heightened suspicion, avoiding save operations on documents containing such objects until patched; (4) Monitor document edit logs for unprivileged users creating documents with class objects; (5) Use XWiki's built-in content security policies if available to restrict HTML output in notification contexts. For versions 15.9+, the warning system provides some defense-in-depth but should not be relied upon as sole mitigation. Vendor advisories and patches are available from the XWiki Security Advisory page.

CVE-2025-49587 vulnerability details – vuln.today

Back

Xwiki CVE-2025-49587

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code