High severityNVD Advisory· Published Jun 13, 2025· Updated Jun 13, 2025
XWiki allows remote code execution through preview of XClass changes in AWM editor
CVE-2025-49586
Description
XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 7.2-milestone-2, < 16.4.7 | 16.4.7 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 16.5.0-rc-1, < 16.10.3 | 16.10.3 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 17.0.0-rc-1, < 17.0.0 | 17.0.0 |
Affected products
2- Range: >= 7.2-milestone-2, < 16.4.7
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-jp4x-w9cj-97q7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49586ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-22719ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.