CVE-2025-32968: 
Java vulnerability analysis and mitigation

CVE-2025-32968 affects XWiki, a generic wiki platform, discovered and disclosed on April 23, 2025. The vulnerability exists in versions from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1. This security issue has been assigned a CVSS v4.0 base score of 8.6 (HIGH) (NVD, GitHub Advisory).

The vulnerability allows users with SCRIPT right to escape from the HQL (Hibernate Query Language) execution context and perform blind SQL injection to execute arbitrary SQL statements on the database backend. The issue stems from the secure query manager not being applied when using short form queries. For example, an attacker can exploit this by using specific query syntax to bypass restrictions and access the database directly (GitHub Advisory).

The vulnerability's impact is severe, allowing attackers to obtain confidential information such as password hashes from the database and execute UPDATE/INSERT/DELETE queries, depending on the database backend used. This affects the confidentiality, integrity, and availability of the XWiki installation, particularly when using MySQL or MariaDB databases (GitHub Advisory).

The vulnerability has been patched in XWiki versions 16.10.1, 16.4.6, and 15.10.16. There are no known workarounds other than upgrading to a patched version. The fix implements the same protection as used for complete select queries, though this stricter protection might require programming rights for some complex but valid queries (GitHub Advisory).