CVE-2025-53835: 
Java vulnerability analysis and mitigation

CVE-2025-53835 affects XWiki Rendering, a generic rendering system that converts textual input between different syntaxes. The vulnerability was discovered in versions from 5.4.5 to 14.10, where the XHTML syntax had a dependency on the xdom+xml/current syntax that allowed creation of raw blocks permitting arbitrary HTML content including JavaScript injection. The issue was disclosed on July 14, 2025 (NVD, GitHub Advisory).

The vulnerability stems from the XHTML syntax's dependency on the xdom+xml/current syntax, which enables the creation of raw blocks that can contain arbitrary HTML content including JavaScript. The issue has been assigned a CVSS v3.1 base score of 9.0 CRITICAL with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-79 (Cross-site Scripting) and CWE-80 (Improper Neutralization of Script-Related HTML Tags) (NVD).

The vulnerability allows XSS attacks for users who can edit a document like their user profile, which is enabled by default. Successful exploitation could lead to session hijacking, credential theft, and potential privilege escalation when users with higher privileges visit affected pages (GitHub Advisory).

The vulnerability has been fixed in version 14.10 by removing the dependency on the xdom+xml/current syntax from the XHTML syntax. There are no known workarounds apart from upgrading to the patched version. Note that the xdom+xml syntax remains vulnerable, but as it's mainly used for testing, it should not be installed or used in production environments (GitHub Advisory).