CVE-2025-49583: 
Java vulnerability analysis and mitigation

CVE-2025-49583 is a security vulnerability discovered in XWiki, a generic wiki platform, disclosed on June 13, 2025. The vulnerability affects the handling of notification email renderer objects, specifically when users without script rights create documents with XWiki.Notifications.Code.NotificationEmailRendererClass objects. The issue impacts various versions of XWiki, including versions prior to 15.10.16, 16.4.7, and 16.10.2 (GitHub Advisory).

The vulnerability stems from insufficient UI warning when handling XWiki.Notifications.Code.NotificationEmailRendererClass objects. While these templates allow Velocity code execution, the existing generic analyzer provides warnings to administrators before editing Velocity code. The vulnerability has been assigned a CVSS v4.0 Base Score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N (GitHub Advisory).

The primary impact of this vulnerability is the potential for spam distribution and phishing attacks through email notifications. While no malicious code execution is possible, attackers could use this vulnerability to send misleading email content to users or hide notifications about malicious activities (GitHub Advisory, XWiki Jira).

The vulnerability has been patched in XWiki versions 16.10.2, 16.4.7, and 15.10.16 through the addition of analysis for the respective XClass properties. For unpatched systems, the only workaround is exercising caution when editing documents previously modified by untrusted users, particularly when using script, admin, or programming rights (GitHub Advisory).