HIGH🇵🇱 Wersja polska

CVE-2025-66474

CVSS 8.7v4.0pub. 2025-12-10upd. 2025-12-19

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Xwiki Rendering

    APP
    Xwiki
    17.5.0< 16.10.1017.0.0 – 17.4.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2023-37908CRITICAL9.0ten sam produkt

XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another synta...

CVE-2023-37912CRITICAL9.9ten sam produkt

XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another synta...

CVE-2026-24128MEDIUM6.5ten sam produkt

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versi...

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam vendor

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-65091CRITICAL10.0PL ✓ten sam vendor

SQL Injection w XWiki Full Calendar Macro — dostęp bez uwierzytelnienia