What is the CVSS score of CVE-2025-58049?

CVE-2025-58049 has a CVSS 3.1 base score of 5.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Xwiki are affected by CVE-2025-58049?

Organizations using versions from 14.4.2 to should be aware of moderate risk from CVE-2025-58049 rated CVSS 5.8. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-58049?

Yes, a public proof-of-concept exploit is available for CVE-2025-58049. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-58049?

Within 30 days: Identify affected systems running versions from 14.4.2 to and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Xwiki CVE-2025-58049

MEDIUM

Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212)

2025-08-28 security-advisories@github.com

Information Disclosure Xwiki

5.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.8 MEDIUM

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:09 vuln.today

Patch released

Mar 28, 2026 - 19:09 nvd

Patch available

PoC Detected

Sep 02, 2025 - 17:34 vuln.today

Public exploit code

CVE Published

Aug 28, 2025 - 18:15 nvd

MEDIUM 5.8

DescriptionGitHub Advisory

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1.

AnalysisAI

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-212. XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1. Affected products include: Xwiki. Version information: before 16.4.8.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-58049 vulnerability details – vuln.today

Back

Xwiki CVE-2025-58049

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code