CVE-2025-24854: Apache JSPWiki Cross-Site Scripting (XSS) Vulnerability in the Image Plugin

July 31, 2025

A carefully crafted request using the Image plugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim’s browser and get some sensitive information about the victim.

Apache JSPWiki users should upgrade to 2.12.3 or later.

References

github.com/advisories/GHSA-72ww-4rcw-mc62
github.com/apache/jspwiki
jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24854
nvd.nist.gov/vuln/detail/CVE-2025-24854

Code Behaviors & Features

Detect and mitigate CVE-2025-24854 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →