CVE-2025-29926

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

Published: Mar 19, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-29926
GHSA: GHSA-gfp2-6qhm-7x43
Severity: High
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
org.xwiki.platform / xwiki-platform-wiki-rest-default	5.4-rc-1	15.10.15
org.xwiki.platform / xwiki-platform-wiki-rest-default	16.0.0-rc-1	16.4.6
org.xwiki.platform / xwiki-platform-wiki-rest-default	16.5.0-rc-1	16.10.0
xwiki / xwiki	16.0.0	16.4.6
xwiki / xwiki	16.5.0	16.10.0
xwiki / xwiki	5.4.1	15.10.15
xwiki / xwiki	5.4	5.4.x
xwiki / xwiki	5.4-rc1	5.4-rc1.x

Vulnerability Database

CVE-2025-29926

Deep Security Visibility Without the Complexity