Vulnerability Description
XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown syntax, it's possible for any user to embed Javascript code that will then be executed on the browser of any other user visiting either the document or the comment that contains it. In the instance that this code is executed by a user with admins or programming rights, this issue compromises the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in version 8.9.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 8.2, < 8.9 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki-contrib/syntax-markdown/commit/d136472d6e8a47981a0ede42Patch
- https://github.com/xwiki-contrib/syntax-markdown/security/advisories/GHSA-8g2j-rPatchThird Party Advisory
- https://jira.xwiki.org/browse/MARKDOWN-80ExploitIssue Tracking
FAQ
What is CVE-2025-46558?
CVE-2025-46558 is a vulnerability with a CVSS score of 9.0 (CRITICAL). XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable ...
How severe is CVE-2025-46558?
CVE-2025-46558 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-46558?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.