CVE-2025-49586: XWiki allows remote code execution through preview of XClass changes in AWM editor

June 13, 2025 (updated November 10, 2025)

Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. The detailed reproduction steps can be found in the original bug report.

References

github.com/advisories/GHSA-jp4x-w9cj-97q7
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42
github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7
jira.xwiki.org/browse/XWIKI-22719
nvd.nist.gov/vuln/detail/CVE-2025-49586

Code Behaviors & Features

Detect and mitigate CVE-2025-49586 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →