CVE-2025-46554

low-risk

Published 2025-04-30

XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Xwiki

Affected Vendors

Xwiki

References (5)

Patch https://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf9...

Patch https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e17579982...

Patch https://github.com/xwiki/xwiki-platform/commit/c02ce7843a39851865b9d7b6132e32fdd...

Exploit https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xp

Exploit https://jira.xwiki.org/browse/XWIKI-22424

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal