XWiki Pro Macros CVE-2026-44179
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable wiki, any edit-rights user suffices (PR:L), no user interaction, macro sandbox escape yields scope change with full host CIA impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The excerpt-include macro does not properly escape the title of the included page and executes the content of the excerpt with the macro's rights. Therefore, it is vulnerable to XWiki syntax injection via the included page's title and content, allowing remote code execution for any user who can edit a page.
Details
The title of the included page isn't escaped in ExcerptInclude.xml#L277. Further, the content of the excerpt macro is rendered to XWiki syntax and output into the macro's content such that it is executed with the macro's rights.
PoC
- As a user without script or programming right, create a page named
Exploit. - In the edit screen, change the title to
{{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}}. - Set the content to
{{excerpt-include 0="Exploit.WebHome"}}{{/excerpt-include}}
{{excerpt}}
{{async}}{{groovy}}println("Hello from Groovy content!"){{/groovy}}{{/async}}
{{/excerpt}}- Save and view the page.
- If this displays "Hello from Groovy Title!" without the surrounding macro code or "Hello from Groovy content!", the attack succeeded.
Impact
Remote code execution impacts the confidentiality, integrity and availability of the whole XWiki installation.
AnalysisAI
Remote code execution in XWiki Pro Macros (com.xwiki.pro:xwiki-pro-macros) versions >=1.13 and <1.14.5 allows any authenticated user with page-edit rights to execute arbitrary Groovy code via the excerpt-include macro, which fails to escape the included page's title and renders excerpt content with the macro's elevated rights. A working proof-of-concept is published in the GHSA advisory demonstrating injection through both a crafted page title and excerpt body. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated XWiki account with permission to create or edit at least one page on the target wiki (no script or programming rights are needed - ordinary edit rights suffice), and the xwiki-pro-macros package version >=1.13 and <1.14.5 must be installed with the excerpt-include macro enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (9.9 Critical) is well supported: exploitation is network-reachable, requires only an ordinary editing account (PR:L), no user interaction, and changes scope by escaping the macro sandbox to compromise the host JVM with full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user with only page-edit rights creates a page whose title contains {{async}}{{groovy}}...{{/groovy}}{{/async}}, then adds an excerpt-include macro referencing that page; when any viewer (or the attacker themselves) renders the page, the unescaped title is parsed as XWiki syntax and the Groovy block executes server-side with the macro author's rights, giving the attacker arbitrary code execution on the XWiki host. The published PoC in the GHSA advisory provides copy-pasteable payloads, so weaponization effort is essentially zero. … |
| Remediation | Vendor-released patch: upgrade com.xwiki.pro:xwiki-pro-macros to version 1.14.5 or later, as fixed by xwikisas and documented at https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-w56x-9778-rppx. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all XWiki installations running versions 1.13-1.14.4; audit which users have page-edit rights. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited
The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java
Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName p
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible bef
Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers t
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. Rated critical severit
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an un
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Rated
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 bef
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer,
Same weakness CWE-95 – Eval Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-w56x-9778-rppx