Skip to main content

Xwiki CVE-2025-53835

| EUVDEUVD-2025-21399 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2025-07-14 security-advisories@github.com GHSA-w3wh-g4m9-783p
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21399
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
Patch released
Mar 16, 2026 - 09:43 nvd
Patch available
CVE Published
Jul 14, 2025 - 23:15 nvd
CRITICAL 9.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 maven packages depend on org.xwiki.rendering:xwiki-rendering-syntax-xhtml (7 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.4.5.

DescriptionGitHub Advisory

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the xdom+xml/current syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the xdom+xml/current syntax from the XHTML syntax. Note that the xdom+xml syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.

AnalysisAI

A cross-site scripting vulnerability in version 5.4.5 and (CVSS 9.0). Critical severity with potential for significant impact on affected systems. Vendor patch is available.

Technical ContextAI

CWE-79 (Cross-site Scripting). CVSS 9.0 indicates critical severity with likely remote exploitation vector. Affects version 5.4.5 and.

RemediationAI

Apply the vendor-supplied patch immediately.

More in Xwiki

View all
CVE-2025-24893 CRITICAL POC
9.8 Feb 20

XWiki Platform allows unauthenticated remote code execution through the SolrSearch endpoint, enabling guests to execute

CVE-2024-21650 CRITICAL POC
10.0 Jan 08

XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the u

CVE-2025-32969 CRITICAL POC
9.3 Apr 23

XWiki is a generic wiki platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut

CVE-2023-27479 CRITICAL POC
9.9 Mar 07

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

CVE-2024-31996 CRITICAL POC
9.8 Apr 10

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl

CVE-2024-31982 CRITICAL POC
9.8 Apr 10

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl

CVE-2023-46731 CRITICAL POC
9.8 Nov 06

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

CVE-2023-26477 CRITICAL POC
9.8 Mar 02

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl

CVE-2025-49586 HIGH POC
8.8 Jun 13

A remote code execution vulnerability in XWiki (CVSS 8.8). Risk factors: public PoC available. Vendor patch is available

CVE-2025-55747 CRITICAL POC
9.3 Sep 03

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

CVE-2025-46558 CRITICAL POC
9.0 Apr 30

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown.

CVE-2023-45136 CRITICAL POC
9.6 Oct 25

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

Share

CVE-2025-53835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy