CVE-2025-66473
HIGH EPSS 25.7%
Published Dec 10, 20256mo ago · Modified Jun 17, 20261w ago
8.7 CVSS 4.0
Published Dec 10, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago
Description
XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
25.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-770
Affected Products 3
References 3
- github.com https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b
- github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf
- jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-23355
Remediation
- github.com https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b
- github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf
- jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-23355