CVE-2025-58049

HIGH EPSS 25.9%
Published Aug 28, 202510mo ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Aug 28, 2025 10mo ago
Last Modified Jun 17, 2026 2w ago

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
25.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-212
CWE-257

Affected Products 3

VendorProductVersionRange
xwikixwiki*≥14.4.2  –  <16.4.8
xwikixwiki*≥16.5.0  –  <16.10.7
xwikixwiki*≥17.0.0  –  ≤17.3.0

References 3

  • github.com https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539
    Patch
  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429
    Vendor Advisory
  • jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-23151
    ExploitIssue TrackingVendor Advisory

Remediation

  • github.com https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539
    Patch