CVE-2025-66474

moderate-risk
Published 2025-12-10

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1.

Do I need to act?

~
1.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (3)

Xwiki-Rendering
Xwiki-Rendering
Xwiki-Rendering

Affected Vendors

Xwiki

References (10)

Patch https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa...
Patch https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd9...
Patch https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p
Exploit https://jira.xwiki.org/browse/XRENDERING-693
Exploit https://jira.xwiki.org/browse/XRENDERING-792
Exploit https://jira.xwiki.org/browse/XRENDERING-793
Patch https://jira.xwiki.org/browse/XWIKI-23378
Exploit https://jira.xwiki.org/browse/XRENDERING-693
Exploit https://jira.xwiki.org/browse/XRENDERING-792
Exploit https://jira.xwiki.org/browse/XRENDERING-793
43
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 4/34 · Minimal
Exposure 9/34 · Low