CVE-2025-66474
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki_rendering | 17.6.0-rc-1 |
| xwiki | xwiki_rendering | 16.10.10 |
| xwiki | xwiki_rendering | 17.5.0-rc-1 |
| xwiki | xwiki_rendering | 17.4.3 |
| xwiki | xwiki_rendering | 17.4.2 |
| xwiki | xwiki_rendering | 16.10.9 |
| xwiki | xwiki_rendering | 17.0.0-rc-1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in XWiki Rendering versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0. It involves insufficient protection against {{/html}} injection, allowing attackers who can edit their own profile or any other document to execute arbitrary script macros, including Groovy and Python macros. This enables remote code execution (RCE) and unrestricted read and write access to all wiki contents.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary code remotely on the affected system. They can run script macros that allow them to read, modify, or delete any content within the wiki. This can lead to full compromise of the wiki contents and potentially the underlying system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade XWiki Rendering to version 16.10.10, 17.4.3, or 17.6.0-rc-1 or later, as these versions contain the fix for the vulnerability. Additionally, restrict editing permissions to trusted users only to prevent exploitation through profile or document edits.