CVE-2025-66474
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-10

Last updated on: 2025-12-11

Assigner: GitHub, Inc.

Description
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-10
Last Modified
2025-12-11
Generated
2026-06-16
AI Q&A
2025-12-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66474
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
xwiki xwiki_rendering 17.6.0-rc-1
xwiki xwiki_rendering 16.10.10
xwiki xwiki_rendering 17.5.0-rc-1
xwiki xwiki_rendering 17.4.3
xwiki xwiki_rendering 17.4.2
xwiki xwiki_rendering 16.10.9
xwiki xwiki_rendering 17.0.0-rc-1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in XWiki Rendering versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0. It involves insufficient protection against {{/html}} injection, allowing attackers who can edit their own profile or any other document to execute arbitrary script macros, including Groovy and Python macros. This enables remote code execution (RCE) and unrestricted read and write access to all wiki contents.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary code remotely on the affected system. They can run script macros that allow them to read, modify, or delete any content within the wiki. This can lead to full compromise of the wiki contents and potentially the underlying system.

Mitigation Strategies

Upgrade XWiki Rendering to version 16.10.10, 17.4.3, or 17.6.0-rc-1 or later, as these versions contain the fix for the vulnerability. Additionally, restrict editing permissions to trusted users only to prevent exploitation through profile or document edits.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart