CVE-2025-32429: XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
(updated )
It’s possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It’s injected as is as an ORDER BY value.
References
- github.com/advisories/GHSA-vr59-gm53-v7cq
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101
- github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq
- jira.xwiki.org/browse/XWIKI-23093
- nvd.nist.gov/vuln/detail/CVE-2025-32429
Code Behaviors & Features
Detect and mitigate CVE-2025-32429 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →