CVE-2025-29926

HIGH EPSS 40.9%
Published Mar 19, 20251y ago · Modified Jun 17, 20261w ago
7.9 CVSS 4.0
High
Find Similar
Published Mar 19, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

CVSS Details

Base Score
7.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
40.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-285
CWE-862 Missing Authorization Authorization

Affected Products 5

VendorProductVersionRange
xwikixwiki*≥5.4.1  –  <15.10.15
xwikixwiki*≥16.0.0  –  <16.4.6
xwikixwiki*≥16.5.0  –  <16.10.0
xwikixwiki5.4any
xwikixwiki5.4any

References 3

  • github.com https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99
    Patch
  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43
    Vendor Advisory
  • jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-22490
    ExploitIssue TrackingVendor Advisory

Remediation

  • github.com https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99
    Patch