CVE-2025-66474 – CVE-2025-66474 is an HTML injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-66474?

CVE-2025-66474 has a CVSS score of 8.8 (HIGH). CVE-2025-66474 is an HTML injection vulnerability in XWiki Rendering that allows authenticated users to execute arbitrary script macros, leading to remote code execution. Attackers can gain unrestricted read/write access to all wiki content and execute system commands. This affects any XWiki instance with vulnerable versions where users have edit permissions.

📋 TL;DR

CVE-2025-66474 is an HTML injection vulnerability in XWiki Rendering that allows authenticated users to execute arbitrary script macros, leading to remote code execution. Attackers can gain unrestricted read/write access to all wiki content and execute system commands. This affects any XWiki instance with vulnerable versions where users have edit permissions.

💻 Affected Systems

Products:

XWiki Rendering
XWiki Platform

Versions: Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0

Operating Systems: All platforms running XWiki

Default Config Vulnerable: ⚠️ Yes

Notes: Any XWiki installation with the vulnerable rendering component is affected regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the XWiki instance with full administrative control, data exfiltration, and potential lateral movement to underlying infrastructure.

🟠

Likely Case

Unauthorized data access/modification, privilege escalation, and arbitrary code execution within the XWiki environment.

🟢

If Mitigated

Limited impact if proper access controls restrict edit permissions to trusted users only.

🌐 Internet-Facing: HIGH - Internet-facing XWiki instances are directly exploitable by authenticated attackers.

🏢 Internal Only: HIGH - Internal instances remain vulnerable to insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with edit permissions. The vulnerability is in the rendering engine, making exploitation straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.10.10, 17.4.3, or 17.6.0-rc-1

Vendor Advisory: https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p

Restart Required: Yes

Instructions:

1. Identify your XWiki version. 2. Upgrade to patched version: 16.10.10, 17.4.3, or 17.6.0-rc-1. 3. Restart the XWiki application server. 4. Verify the fix by checking version and testing rendering functionality.

🔧 Temporary Workarounds

Restrict Edit Permissions

all

Temporarily limit document editing to only essential administrators until patching.

Configure XWiki permissions to restrict edit rights

Disable Script Macros

all

Disable Groovy and Python script macros to prevent code execution.

Modify XWiki configuration to disable script macros

🧯 If You Can't Patch

Implement strict access controls to limit who can edit documents
Monitor for suspicious editing activity and script macro usage

🔍 How to Verify

Check if Vulnerable:

Check XWiki version against affected ranges. Review if users can edit documents containing HTML macros.

Check Version:

Check XWiki administration panel or application logs for version information

Verify Fix Applied:

Confirm version is 16.10.10, 17.4.3, or 17.6.0-rc-1+. Test that {{/html}} injection no longer executes script macros.

📡 Detection & Monitoring

Log Indicators:

Unusual document edits
Script macro executions
HTML rendering errors

Network Indicators:

HTTP POST requests to edit endpoints with suspicious content

SIEM Query:

Search for: 'edit' actions containing '{{/html}}' or script macro patterns in XWiki logs

📊 Metadata

CVE ID: CVE-2025-66474

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-95

EPSS Score: 1.05% exploit probability (77.2th percentile)

Published: December 10, 2025

Last Updated: December 19, 2025

🔗 References

https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11 Patch
https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49 Patch
https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p Patch,Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-693 Exploit,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-792 Exploit,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-793 Exploit,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-23378 Patch,Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-693 Exploit,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-792 Exploit,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-793 Exploit,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66474, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Xwiki Rendering by Xwiki

Xwiki Rendering by Xwiki

Xwiki Rendering by Xwiki

Xwiki Rendering by Xwiki

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Edit Permissions

Disable Script Macros

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities