6.4
CVE-2025-49587 - XWiki does not require right warnings for notification displayer objects
XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSSβ¦
8.7
CVE-2025-49586 - XWiki allows remote code execution through preview of XClass changes in AWM editor
XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 1β¦
8.6
CVE-2025-49585 - XWiki does not require right warnings for XClass definitions
XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script,β¦
8.7
CVE-2025-49584 - XWiki makes title of inaccessible pages available through the class property values REST API
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default fβ¦
5.1
CVE-2025-49583 - XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admβ¦
XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can β¦
8.6
CVE-2025-49582 - XWiki's required right warnings for macros are incomplete
XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are iβ¦
8.7
CVE-2025-49581 - XWiki allows remote code execution through default value of wiki macro wiki-type parameters
XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameterβ¦
8.5
CVE-2025-49580 - XWiki allows privilege escalation through link refactoring
XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never beenβ¦
8.6
CVE-2025-48915 - COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-076
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
8.6
CVE-2025-48914 - COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.