CVE-2025-29926

Summary

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

Affected Software

VendorProductVersion RangeStatus
xwikixwiki-platform>= 5.4-rc-1, < 15.10.15affected
xwikixwiki-platform>= 16.0.0-rc-1, < 16.4.6affected
xwikixwiki-platform>= 16.5.0-rc-1, < 16.10.0affected

Weaknesses

  • CWE-285: CWE-285: Improper Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References