CVE-2025-49585: 
Java vulnerability analysis and mitigation

CVE-2025-49585 affects XWiki, a generic wiki platform. The vulnerability was discovered and disclosed on June 13, 2025, impacting versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1. The issue allows attackers with edit rights but without script or programming rights to create malicious XClass definitions that could later be executed with elevated privileges when edited by users with higher access levels (GitHub Advisory).

The vulnerability is related to insufficient UI warning of dangerous operations in XClass definitions, particularly when handling custom display code, computed properties scripts, and database list property queries. The system failed to provide adequate warnings before execution of potentially malicious code. The vulnerability received a CVSS v4.0 base score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N, indicating network accessibility with low attack complexity (GitHub Advisory).

When exploited, the vulnerability allows malicious code execution with elevated privileges when a user with script, admin, or programming rights edits a compromised XClass definition. This could lead to high impacts on confidentiality, integrity, and availability of the vulnerable system, with additional low impacts on subsequent systems (GitHub Advisory).

The vulnerability has been patched in XWiki versions 16.10.2, 16.4.7, and 15.10.16 by implementing analysis for the respective XClass properties. Prior to applying the patch, the only workaround is to exercise caution when editing documents previously modified by untrusted users, particularly when operating with script, admin, or programming rights (GitHub Advisory).