CVE-2025-55728
CRITICALXWiki Remote Macros 1.0-1.26.4 - Remote Code Execution via Panel Macro Classes Parameter
Title source: llmDescription
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-48f4-h726-74p5
Patch x_refsource_misc
https://github.com/xwikisas/xwiki-pro-macros/commit/3ca815294bf54fc024b2363efbece7aa08b8efd5
Product x_refsource_misc
https://github.com/xwikisas/xwiki-pro-macros/blob/93ac1a38c829e3ef787379b2b45eb043a573e5f7/xwiki-pro-macros-ui/src/main/resources/XWiki/Macros/Panel.xml#L554
Not Applicable x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-20449
Scores
CVSS v3
10.0
EPSS
0.0074
EPSS Percentile
49.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-95
CWE-94
Status
published
Products (1)
xwiki/pro_macros
1.0 - 1.26.5
Published
Sep 09, 2025
Tracked Since
Feb 18, 2026