CVE-2025-49580: XWiki allows privilege escalation through link refactoring

June 13, 2025

Pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability affects all version of XWiki since 8.2 and 7.4.5.

References

github.com/advisories/GHSA-jm43-hrq7-r7w6
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec
github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6
jira.xwiki.org/browse/XWIKI-22836
nvd.nist.gov/vuln/detail/CVE-2025-49580

Code Behaviors & Features

Detect and mitigate CVE-2025-49580 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →