CVE-2025-58365
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | application-blog | 9.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the XWiki blog application allows any user with edit rights on any page (typically all logged-in users) to execute remote code. An attacker can exploit this by adding a Blog.BlogPostClass object to a page and inserting malicious script code into the Content field of that object. This enables the attacker to run arbitrary code remotely. The issue was fixed in version 9.14 by ensuring blog post content executes with the rights of the author, preventing unauthorized code execution.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with edit rights to execute arbitrary code on the XWiki platform remotely. This could lead to unauthorized actions such as data theft, data manipulation, system compromise, or further attacks within the environment where XWiki is deployed.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the XWiki blog application to version 9.14 or later, where the vulnerability has been patched by executing blog post content with the rights of the appropriate author. No known workarounds are available, so applying the update is the immediate mitigation step.