CVE-2025-29926
CRITICALXWiki Platform <15.10.15, <16.4.6, <16.10.0 - Info Disclosure
Title source: llmDescription
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-22490
Scores
CVSS v3
9.8
EPSS
0.0189
EPSS Percentile
83.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-862
CWE-285
Status
published
Products (3)
org.xwiki.platform/xwiki-platform-wiki-rest-default
5.4-rc-1 - 15.10.15Maven
xwiki/xwiki
5.4 (2 CPE variants)
xwiki/xwiki
5.4.1 - 15.10.15
Published
Mar 19, 2025
Tracked Since
Feb 18, 2026