How to fix EUVD-2025-21399?

Within 24 hours: Identify all XWiki instances in your environment and document their current versions. Within 7 days: Upgrade all affected XWiki deployments to version 14.10 or later; prioritize internet-facing or multi-tenant instances first. Within 30 days: Verify patch deployment across all systems, review access logs for suspicious document edits, and reset credentials for users who may have edited documents during the vulnerability window.

Is Xwiki affected by EUVD-2025-21399?

XWiki instances are vulnerable to cross-site scripting (XSS) attacks that allow authenticated users to inject arbitrary JavaScript code through document editing features available by default.

EUVD-2025-21399

| CVE-2025-53835 CRITICAL

2025-07-14 [email protected]

GHSA-w3wh-g4m9-783p

9.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 09:43 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 09:43 euvd

EUVD-2025-21399

Patch Released

Mar 16, 2026 - 09:43 nvd

Patch available

CVE Published

Jul 14, 2025 - 23:15 nvd

CRITICAL 9.0

Description

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.

Analysis

A cross-site scripting vulnerability in version 5.4.5 and (CVSS 9.0). Critical severity with potential for significant impact on affected systems. Vendor patch is available.

Technical Context

CWE-79 (Cross-site Scripting). CVSS 9.0 indicates critical severity with likely remote exploitation vector. Affects version 5.4.5 and.

Affected Products

['version 5.4.5 and']

Remediation

Apply the vendor-supplied patch immediately.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +1.6

CVSS: +45

POC: 0

EUVD-2025-21399 vulnerability details – vuln.today

Back

EUVD-2025-21399

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-21399

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code