Vulnerability Description
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | <= 17.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.mdExploitThird Party Advisory
- https://xwiki.orgProduct
FAQ
What is CVE-2025-51991?
CVE-2025-51991 is a vulnerability with a CVSS score of 8.8 (HIGH). XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation...
How severe is CVE-2025-51991?
CVE-2025-51991 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-51991?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.