CVE-2025-55728
moderate-risk
Published 2025-09-09
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue.
Do I need to act?
~
4.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 61d5644ce198a52f3e0a89be8161df0d2cb25f5e
10
CVSS 10.0/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Pro Macros
Affected Vendors
References (6)
Not Applicable
https://jira.xwiki.org/browse/XWIKI-20449
Not Applicable
https://jira.xwiki.org/browse/XWIKI-20449
45
/ 100
moderate-risk
Severity
33/34 · Critical
Exploitability
7/34 · Low
Exposure
5/34 · Minimal