CVE-2025-49587: 
Java vulnerability analysis and mitigation

CVE-2025-49587 affects XWiki, an open-source wiki software platform. The vulnerability was discovered and disclosed on June 13, 2025. It involves a security issue where a user without script rights can create a document with an XWiki.Notifications.Code.NotificationDisplayerClass object containing malicious content, which can then be activated when an admin edits and saves that document (GitHub Advisory).

The vulnerability is related to the XWiki.Notifications.Code.NotificationDisplayerClass functionality, where malicious content in notification templates can be output as raw HTML, enabling XSS attacks. While the notification displayer executes Velocity code, the existing generic analyzer provides warnings before editing Velocity code. The vulnerability has been assigned a CVSS v4.0 score of 6.4 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H (GitHub Advisory).

When exploited, this vulnerability allows attackers to execute XSS (Cross-Site Scripting) attacks through the notification system. The impact is particularly significant as it affects subsequent systems with high confidentiality, integrity, and availability implications, despite not directly impacting the vulnerable system (GitHub Advisory, Wiz).

The vulnerability has been patched in XWiki versions 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns administrators before editing potentially malicious code. For unpatched systems, the only workaround is to exercise caution when editing documents previously modified by untrusted users, especially when using script, admin, or programming rights (GitHub Advisory).