CVE-2025-24853: 
Java vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Apache JSPWiki, identified as CVE-2025-24853, affecting versions up to 2.12.2. The vulnerability was discovered by XBOW Security and publicly disclosed on July 31, 2025. The issue exists in both the core markup parser and the Markdown extension of JSPWiki (Apache Advisory, OSS Security).

The vulnerability stems from improper sanitization of user input when rendering links in two components: the core markup parser and the Markdown extension. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, and it has an EPSS score of 0.05827% (Miggo Database, NVD).

When exploited, this vulnerability allows an attacker to execute JavaScript code in the victim's browser through carefully crafted header links using the wiki markup syntax. This can lead to the exposure of sensitive information about the victim (Apache Advisory).

Users of Apache JSPWiki are strongly advised to upgrade to version 2.12.3 or later, which contains the security fix for this vulnerability. The patch introduces conditional escaping using escapeHTMLEntities when HTML is not allowed and properly configures the HtmlRenderer.ESCAPE_HTML option in the Markdown parser (Apache Advisory).