CVE-2025-49580 — HIGH (8.0)

Q: How severe is CVE-2025-49580?

CVE-2025-49580 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-49580?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.

Vulnerability Description

XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.

CVSS Score

8.0

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xwiki	Xwiki	>= 7.4.5, < 16.4.7

Related Weaknesses (CWE)

CWE-266

References

https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd69Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22836ExploitIssue TrackingVendor Advisory

FAQ

What is CVE-2025-49580?

CVE-2025-49580 is a vulnerability with a CVSS score of 8.0 (HIGH). XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed ...

How severe is CVE-2025-49580?

CVE-2025-49580 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-49580?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.