CVE-2025-49580
XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.
| Software | From | Fixed in |
|---|---|---|
org.xwiki.platform / xwiki-platform-refactoring-default
|
17.0.0-rc-1 | 17.1.0-rc-1 |
|
org.xwiki.platform / xwiki-platform-refactoring-default
|
16.5.0-rc-1 | 16.10.4 |
|
org.xwiki.platform / xwiki-platform-refactoring-default
|
8.2 | 16.4.7 |
|
org.xwiki.platform / xwiki-platform-refactoring-default
|
7.4.5 | - |
| xwiki / xwiki | 7.4.5 | 16.4.7 |
| xwiki / xwiki | 16.5.0 | 16.10.4 |
| xwiki / xwiki | 17.0.0 | 17.1.0 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime