CVE-2025-55729

CRITICAL

XWiki Remote Macros <1.26.5 - RCE

Title source: llm

Description

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.

References (4)

[Vendor Advisory] https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-22xj-jpjg-gpgw

[Patch] https://github.com/xwikisas/xwiki-pro-macros/commit/06e6cf3893227527d0242a11e390642178d9df05

View Patch ZIP pw:eip

[Various Sources] https://github.com/xwikisas/xwiki-pro-macros/blob/93ac1a38c829e3ef787379b2b45eb043a573e5f7/xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-ui/src/main/resources/Confluence/Macros/ConfluenceLayoutSection.xml#L518

[Various Sources] https://jira.xwiki.org/browse/XWIKI-20449

Scores

CVSS v3 10.0

EPSS 0.0088

EPSS Percentile 75.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-116

Status published

Products (1)

xwikisas/xwiki-pro-macros >= 1.0, < 1.26.5

Published Sep 09, 2025

Tracked Since Feb 18, 2026