CVE-2025-49586: 
Java vulnerability analysis and mitigation

CVE-2025-49586 is a critical security vulnerability discovered in XWiki, an open-source wiki software platform. The vulnerability was disclosed on June 13, 2025, and affects versions from 7.2-milestone-2 up to versions 16.4.7, 16.10.3, and 17.0.0. Any XWiki user with edit rights on at least one App Within Minutes application (which is the default for all users) can obtain programming rights and perform remote code execution by editing the application (GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The issue stems from improper authorization (CWE-863) in the XClass changes preview functionality within the AWM editor. The vulnerability can be exploited remotely with low attack complexity and requires only low-level privileges (GitHub Advisory, NVD).

The successful exploitation of this vulnerability allows attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. The vulnerability affects all three major security aspects with high severity: confidentiality, integrity, and availability of the vulnerable system (GitHub Advisory).

The vulnerability has been patched in XWiki versions 17.0.0, 16.4.7, and 16.10.3. As a temporary workaround, administrators can restrict edit rights on all existing App Within Minutes applications to trusted users, although this may not completely mitigate all potential exploit vectors (GitHub Advisory).