QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-58365

Back to search

CVE-2025-58365

Published: Sep 8, 2025

Modified: Sep 9, 2025

PUBLISHED

Description

The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Prior to version 9.14, the blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user profile. For an exploit, it is sufficient to add an object of type `Blog.BlogPostClass` to any page and to add some script macro with the exploit code to the "Content" field of that object. The vulnerability has been patched in the blog application version 9.14 by executing the content of blog posts with the rights of the appropriate author. No known workarounds are available.

VendorProductVersions

xwiki-contrib

application-blog

affected
< 9.14

Weaknesses (CWE)

CWE-95

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now