CVE-2025-66024
Received Received - Intake
Stored XSS in XWiki Blog Post Title Enables Session Hijacking

Publication date: 2026-03-04

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation. The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66024
EUVD
EUVD-2025-208293
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xwiki blog_application to 9.15.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the XWiki blog application versions prior to 9.15.7. It is a Stored Cross-Site Scripting (XSS) issue that occurs because the blog post title is inserted directly into the HTML <title> tag without proper escaping.

An attacker who has permission to create or edit blog posts can inject malicious JavaScript code into the title field. This malicious script will then execute in the browsers of any users who view the blog post, including administrators.

This can lead to session hijacking or privilege escalation. The vulnerability was fixed in version 9.15.7 by adding the missing escaping to the title field.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious JavaScript in the browsers of users who view the affected blog posts.

Such script execution can lead to session hijacking, where attackers steal user session tokens, or privilege escalation, where attackers gain higher access rights than intended.

This can compromise user accounts, including administrator accounts, potentially leading to unauthorized access and control over the XWiki platform.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability has been patched in the XWiki blog application version 9.15.7 by adding missing escaping to the blog post title.

To mitigate this vulnerability, you should immediately upgrade the XWiki blog application to version 9.15.7 or later.

No known workarounds are available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66024. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart