CVE-2025-49581: 
Java vulnerability analysis and mitigation

CVE-2025-49581 is a critical vulnerability discovered in XWiki, a generic wiki platform. The vulnerability was disclosed on June 13, 2025, and affects XWiki versions prior to 16.4.7, 16.10.3, and 17.0.0. The issue allows any user with edit rights on a page (including their own profile) to execute arbitrary code (Groovy, Python, Velocity) with programming privileges by defining a wiki macro (GitHub Advisory, NVD).

The vulnerability stems from a privilege context switching error in the wiki macro parameter handling. When a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used, rather than the rights of the macro's author. This can be exploited by overriding macros like the children macro that are used in pages with programming rights, such as XWiki.ChildrenMacro. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability allows attackers to gain full access to the entire XWiki installation, significantly impacting its confidentiality, integrity, and availability. An attacker can execute arbitrary code with programming privileges, potentially leading to complete system compromise (GitHub Advisory, Wiz).

The vulnerability has been patched in XWiki versions 16.4.7, 16.10.3, and 17.0.0. The fix involves executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value. No workarounds are available except for upgrading to a patched version (GitHub Advisory).