CVE-2025-55728
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-17

Assigner: GitHub, Inc.

Description
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-17
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-55728
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xwiki pro_macros From 1.0 (inc) to 1.26.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-55728 is a critical remote code execution vulnerability in the XWiki Pro Macros package. It occurs because the 'classes' parameter in the panel macro is not properly escaped or sanitized before being used in XWiki syntax. This allows an attacker who can edit any page to inject malicious XWiki syntax, including Groovy code, which can then be executed remotely. The vulnerability arises from improper handling of user input leading to syntax injection and remote code execution. [1, 2]

Impact Analysis

This vulnerability can have severe impacts including remote code execution by an attacker with page editing rights, or even by users with only viewing rights in some cases. The attacker can execute arbitrary code on the server, leading to full data access (confidentiality impact), data modification (integrity impact), and complete service disruption (availability impact). This means the attacker can take full control over the affected system remotely without needing special privileges or user interaction. [2]

Detection Guidance

This vulnerability can be detected by testing if the 'classes' parameter in the XWiki panel macro is improperly escaped, allowing XWiki syntax injection. A practical detection method is to attempt injecting Groovy code into the classes parameter, for example using the payload: `%)((({{async}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}}`. If this code executes, the system is vulnerable. Detection can be done by editing a page with the vulnerable macro and injecting this payload, then observing if the Groovy code runs. There are no specific network commands provided, but testing the macro input sanitization via the web interface is the suggested approach. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the XWiki Pro Macros package to version 1.26.5 or later, which contains the patch that properly escapes the 'classes' parameter in the panel macro. This patch uses the XWiki rendering service's escape method to sanitize the input and prevent code injection. Until the upgrade can be applied, restrict editing permissions to trusted users only, as any user with editing rights can exploit this vulnerability. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55728. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart