CVE-2025-55748

Published Sep 3, 2025

Last updated 6 months ago

CVSS critical 9.3

Overview

Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
Source
security-advisories@github.com
NVD status
Analyzed
Products
xwiki

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-23

Social media

Hype score
Not currently trending

  1. 🚨 Active exploitation detected 📦 Product: XWiki 🆔 Vuln: CVE-2025-55748 A path traversal vulnerability allows remote attackers to access and read sensitive configuration files via specially crafted URLs. ⚠️ Mitigation: Apply security patches immediately. 📈 Scor

    @XavSecOps

    16 Jan 2026

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. 🚨 New plugin: XWikiPlugin (CVE-2025-24893, CVE-2025-32429, CVE-2025-52472, CVE-2025-55748). XWiki multiple critical vulnerabilities detection - RCE, SQL/HQL injection, and path traversal. Results: https://t.co/PxFnlE9Gg8 https://t.co/KsHMoApXyo

    @leak_ix

    1 Dec 2025

    850 Impressions

    2 Retweets

    9 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  3. 🚨 In this week’s Threat Alert, CrowdSec detects a surge in exploitation of CVE-2025-55748, a path traversal vulnerability in XWiki exposing sensitive configuration files. 📈 Observed activity is rising, yet this flaw is not yet listed in CISA’s KEV, increasing the risk

    @Crowd_Security

    12 Nov 2025

    252 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 CVE-2025-55748 - high 🚨 XWiki Platform - Path Traversal > XWiki Platform 4.2-milestone-2 through 16.10.6 contains a path traversal caused by im... 👾 https://t.co/81CzUxQ7QQ @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    19 Oct 2025

    168 Impressions

    0 Retweets

    0 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-55748 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration fi… https://t.co/7SxhIYbOOm

    @CVEnew

    3 Sept 2025

    278 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.CVE-2026-26000
  2. XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required.CVE-2026-24128
  3. XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11.CVE-2025-66473
  4. XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the "No" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates.CVE-2025-66472
  5. XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.CVE-2025-55749

References

Sources include official advisories and independent security research.