Critical severity10.0OSV Advisory· Published Sep 9, 2025· Updated Apr 15, 2026
CVE-2025-55730
CVE-2025-55730
Description
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.
Affected products
1- Range: xwiki-pro-macros-1.0, xwiki-pro-macros-1.1, xwiki-pro-macros-1.1.1, …
Patches
261d5644ce198[maven-release-plugin] prepare release xwiki-pro-macros-parent-1.26.5
13 files changed · +16 −16
pom.xml+2 −2 modified@@ -29,7 +29,7 @@ </parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> <packaging>pom</packaging> <name>Pro Macros - Parent POM</name> <description>Supercharge XWiki’s functionality with Pro macros. Compatible with Atlassian Confluence macros imported during migrations. Can be purchased individually or part of the XWiki Pro package. Try them free.</description> @@ -54,7 +54,7 @@ <connection>scm:git:git://github.com/xwikisas/xwiki-pro-macros.git</connection> <developerConnection>scm:git:git@github.com:xwikisas/xwiki-pro-macros.git</developerConnection> <url>https://github.com/xwikisas/xwiki-pro-macros/tree/master</url> - <tag>HEAD</tag> + <tag>xwiki-pro-macros-parent-1.26.5</tag> </scm> <!-- Even though this repository is already declared in the parent POM, we still explicitly redeclare it for convenience. This makes it simpler to build this project without having to declare this repository in one's own
xwiki-pro-macros-api/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-api</artifactId> <packaging>jar</packaging>
xwiki-pro-macros-confluence-bridges/pom.xml+2 −2 modified@@ -25,10 +25,10 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-confluence-bridges-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> <packaging>pom</packaging> <name>Pro Macros - Confluence bridges - Parent POM</name> <description>Bridges for various Confluence macros. Can be purchased individually or part of the XWiki Pro package. Try them free.</description>
xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-api/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-confluence-bridges-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-confluence-bridges-api</artifactId> <packaging>jar</packaging>
xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-legacy/pom.xml+2 −2 modified@@ -25,10 +25,10 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-confluence-bridges-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-confluence-bridges-legacy-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> <packaging>pom</packaging> <name>Pro Macros - Legacy Confluence bridges - Parent POM</name> <description>Legacy bridges for various Confluence macros. Can be purchased individually or part of the XWiki Pro package. Try them free.</description>
xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-legacy/xwiki-pro-macros-confluence-bridges-legacy-api/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-confluence-bridges-legacy-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <packaging>jar</packaging> <artifactId>xwiki-pro-macros-confluence-bridges-legacy-api</artifactId>
xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-legacy/xwiki-pro-macros-confluence-bridges-legacy-ui/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-confluence-bridges-legacy-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <!-- the artifact id doesn't match the folder. This is for backward compatibility, to ensure that user who installed the pro macros automatically get updates
xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-ui/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-confluence-bridges-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-confluence-bridges-ui</artifactId> <packaging>xar</packaging>
xwiki-pro-macros-test/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-test</artifactId>
xwiki-pro-macros-test/xwiki-pro-macros-test-docker/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-test</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-test-docker</artifactId> <name>Pro Macros - Tests - Docker</name>
xwiki-pro-macros-test/xwiki-pro-macros-test-pageobjects/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-test</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-test-pageobjects</artifactId> <name>Pro Macros - Tests - Page Objects</name>
xwiki-pro-macros-ui/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-ui</artifactId> <packaging>xar</packaging>
xwiki-pro-macros-xip/pom.xml+1 −1 modified@@ -25,7 +25,7 @@ <parent> <groupId>com.xwiki.pro</groupId> <artifactId>xwiki-pro-macros-parent</artifactId> - <version>1.26.5-SNAPSHOT</version> + <version>1.26.5</version> </parent> <artifactId>xwiki-pro-macros-xip</artifactId> <name>Pro Macros - XIP</name>
049716df415aMerge commit from fork
1 file changed · +1 −1
xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-ui/src/main/resources/Confluence/Macros/ConfluencePasteCodeMacro.xml+1 −1 modified@@ -432,7 +432,7 @@ class Simple{ (% class="paste-code#if($withTitle) paste-code-with-title#end" %)((( #if("$!title" != '') (% class="paste-code-title" %)((( - $title + $services.rendering.escape($title, 'xwiki/2.1') ))) #end {{code language="$services.rendering.escape("$!language", $xwiki.currentContentSyntaxId)"}}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/xwikisas/xwiki-pro-macros/blob/93ac1a38c829e3ef787379b2b45eb043a573e5f7/xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-ui/src/main/resources/Confluence/Macros/ConfluencePasteCodeMacro.xmlnvd
- github.com/xwikisas/xwiki-pro-macros/commit/049716df415aaf00938a91d618d382777820d2afnvd
- github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-5w8v-h22g-j2mpnvd
- jira.xwiki.org/browse/XWIKI-20449nvd
News mentions
0No linked articles in our index yet.