Vulnerability Description
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 10.9, < 16.4.7 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1Patch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fvVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-22736ExploitIssue TrackingVendor Advisory
FAQ
What is CVE-2025-49584?
CVE-2025-49584 is a vulnerability with a CVSS score of 7.5 (HIGH). XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed ...
How severe is CVE-2025-49584?
CVE-2025-49584 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-49584?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.