CVE-2025-54990: 
Java vulnerability analysis and mitigation

CVE-2025-54990 affects XWiki AdminTools, specifically impacting the access control mechanisms for administrative tools. The vulnerability was discovered and disclosed in November 2025, affecting versions up to and including 1.0.1 of the application-admintools package. The issue allows unauthorized access to AdminTools.SpammedPages, where view rights are not properly restricted to administrative users (GitHub Advisory).

The vulnerability is classified as a moderate severity issue with a CVSS v3.1 base score of 5.3. The attack vector is Network-based with low attack complexity, requiring no privileges or user interaction. The scope is unchanged, with low confidentiality impact and no impact on integrity or availability. The technical vulnerability stems from improper access control configuration where view rights for the AdminTools.SpammedPages are not restricted exclusively to admin users (GitHub Advisory).

While non-administrative users cannot view sensitive data within AdminTools.SpammedPages, they can still access the page itself, potentially exposing the existence of administrative functionality that should be hidden from regular users (GitHub Advisory).

A workaround is available by setting the view rights for the AdminTools space to be exclusively available for the XWikiAdminGroup. The vulnerability has been patched in version 1.1 of the application-admintools package (GitHub Advisory).