XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
An attacker sends an HTTP GET request to the path `/xwiki/bin/get/Main/SolrSearch` with a `text` parameter containing a malicious payload in XWiki template format (e.g., a `{{groovy}}` block). The `SolrSearch` endpoint in vulnerable versions does not properly sanitize input data before processing, which enables Groovy code injection and evaluation (CWE-94, CWE-95) on the server side. The attack requires no authentication or user interaction — a single network request is sufficient.
An attacker gains the ability to execute arbitrary code on the server (RCE), which threatens the confidentiality, integrity, and availability of the entire XWiki installation, including access to all user data and server infrastructure.
XWiki should be updated to version 15.10.11, 16.4.1, or 16.5.0RC1. Users who cannot perform an update should manually edit the `Main.SolrSearchMacros` file (`SolrSearchMacros.xml`, line 955) — the `rawResponse` macro should be adjusted to set the content type to `application/xml` instead of directly outputting the RSS feed content, following the pattern from the `macros.vm` file (line 2824).
XWiki Platform in all versions preceding 15.10.11, 16.4.1, and 16.5.0RC1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HXwiki
APPXwiki5.35.4 – 15.10.11 (bez)16.0.0 – 16.4.1 (bez)
CISA KEV — detailsi
- Vendori
- XWiki
- Producti
- Platform
- Added to KEVi
- October 30, 2025
- Remediation deadline (US Federal)i
- November 20, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.
Related vulnerabilities
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)
XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych
SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm
XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra
XWiki Rendering: XSS przez składnię xdom+xml/current w XHTML