CVE-2025-55730

10.0 CRITICAL
Published: September 09, 2025 Modified: April 15, 2026
View on NVD

Description

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/xwikisas/xwiki-pro-macros/blob/93ac1a38c829e3ef787379b2b45eb043a573e5f7/xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-ui/src/main/resources/Confluence/Macros/ConfluencePasteCodeMacro.xml#L435
Source: security-advisories@github.com
https://github.com/xwikisas/xwiki-pro-macros/commit/049716df415aaf00938a91d618d382777820d2af
Source: security-advisories@github.com
https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-5w8v-h22g-j2mp
Source: security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20449
Source: security-advisories@github.com

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
10.0 / 10.0
EPSS (Exploit Probability)
0.9%
75th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-116

Related CVEs

CVE-2026-6577 7.3
CVE-2026-6576 6.3
CVE-2026-6574 7.3
CVE-2026-6573 6.3
CVE-2026-6572 5.6