8.6
CVE-2025-49585 - XWiki does not require right warnings for XClass definitions
XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script,β¦
8.7
CVE-2025-49584 - XWiki makes title of inaccessible pages available through the class property values REST API
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default fβ¦
5.1
CVE-2025-49583 - XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admβ¦
XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can β¦
8.6
CVE-2025-49582 - XWiki's required right warnings for macros are incomplete
XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are iβ¦
8.7
CVE-2025-49581 - XWiki allows remote code execution through default value of wiki macro wiki-type parameters
XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameterβ¦
8.5
CVE-2025-49580 - XWiki allows privilege escalation through link refactoring
XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never beenβ¦
8.6
CVE-2025-48915 - COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-076
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
8.6
CVE-2025-48914 - COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
7.3
CVE-2025-48920 - etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal etracker allows Cross-Site Scripting (XSS).This issue affects etracker: from 0.0.0 before 3.1.0.
5
CVE-2025-48919 - Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-073
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0.