Skip to main content

Python EUVD-2025-18284

| CVE-2025-49581 HIGH
Code Injection (CWE-94)
2025-06-13 security-advisories@github.com
Python RCE Xwiki
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
EUVD ID Assigned
Mar 14, 2026 - 21:34 euvd
EUVD-2025-18284
Analysis Generated
Mar 14, 2026 - 21:34 vuln.today
Patch released
Mar 14, 2026 - 21:34 nvd
Patch available
PoC Detected
Sep 03, 2025 - 17:51 vuln.today
Public exploit code
CVE Published
Jun 13, 2025 - 16:15 nvd
HIGH 8.8

DescriptionGitHub Advisory

XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value.

AnalysisAI

Critical privilege escalation vulnerability in XWiki that allows any user with page edit rights to execute arbitrary code (Groovy, Python, Velocity) with programming-level privileges by creating malicious wiki macros. An attacker can exploit wiki macro parameter defaults to inject code into high-privilege pages like XWiki.ChildrenMacro, achieving full XWiki installation compromise. The vulnerability affects XWiki versions prior to 16.4.7, 16.10.3, and 17.0.0; patch availability is confirmed across multiple release branches.

Technical ContextAI

XWiki is a Java-based wiki platform that supports extensible macro scripting through multiple languages (Groovy, Python, Velocity). The vulnerability stems from CWE-94 (Improper Control of Generation of Code), specifically in how wiki macro parameters with wiki syntax support are evaluated. When a macro parameter's default value contains wiki syntax, it is executed with the document author's rights rather than the macro definition author's rights. This creates a privilege escalation chain: (1) an attacker with edit rights defines a custom wiki macro with a parameter allowing wiki syntax, (2) the attacker sets a malicious default value, (3) when this macro is invoked in a high-privilege document (e.g., XWiki.ChildrenMacro in the XWiki namespace which has programming rights), the default parameter value executes with those elevated rights. The affected product range includes XWiki Community and Enterprise editions across multiple major versions (14.x, 15.x, 16.x, 17.x branches).

RemediationAI

Immediate patching is required: upgrade to XWiki 16.4.7 or later (for 16.4.x branch), 16.10.3 or later (for 16.10.x branch), or 17.0.0 or later (for 17.x branch). The patch changes macro parameter evaluation logic to execute wiki syntax default values with the wiki macro author's rights (not the invoking document author's rights), eliminating the privilege escalation. For organizations unable to patch immediately: (1) restrict edit page rights to highly trusted users only; (2) audit existing custom wiki macros for suspicious definitions; (3) monitor wiki modification logs for users creating new macros; (4) disable user self-service page editing if feasible; (5) implement network segmentation to limit XWiki installation exposure. Vendor advisory and patches are available through XWiki's official release channels (xwiki.org/download). No known workaround exists that fully protects unpatched systems while maintaining wiki functionality.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U
CVE-2026-47103 CRITICAL
9.3 Jun 17

Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host pr

Share

EUVD-2025-18284 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy