CVE-2025-24853

HIGH

Apache JSPWiki - XSS

Title source: llm

Description

A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later.

References (2)

[Vendor Advisory] https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853

[Mailing List] http://www.openwall.com/lists/oss-security/2025/07/30/2

Scores

CVSS v3 7.5

EPSS 0.0024

EPSS Percentile 46.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-79

Status published

Affected Products (3)

apache/jspwiki < 2.12.3

org.apache.jspwiki/jspwiki-main < 2.12.3Maven

org.apache.jspwiki/jspwiki-markdown < 2.12.3Maven

Timeline

Published Jul 31, 2025

Tracked Since Feb 18, 2026