CVE-2025-29926

moderate-risk

Published 2025-03-19

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

Do I need to act?

1.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 72fc19ec15b50001cc0b6a9987e344d85f5c56cd, 5292357f68df062a1b2f6a48410c3753e94771d3, d6d65b31d1a464df7e0d5d1b7491f926d45c155e

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (3)

Xwiki

Affected Vendors

Xwiki

References (3)

Patch https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d180...

Vendor Advisory https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43

Exploit https://jira.xwiki.org/browse/XWIKI-22490

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 5/34 · Minimal

Exposure 9/34 · Low