CRITICAL🇵🇱 Wersja polska

CVE-2025-55730

CVSS 10.0v3.1pub. 2025-09-09upd. 2026-04-15

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.

🤖 AI Analysis
How it works

The confluence paste code macro, part of XWiki Remote Macros, uses the 'classes' parameter without proper escaping in the context of XWiki syntax. An attacker can inject arbitrary XWiki syntax (XWiki syntax injection) into this parameter, which will be executed by the rendering engine. As a result, remote code execution on the server side is possible by any user with permission to edit any page in the XWiki instance.

Impact

An attacker can execute arbitrary code on the server, leading to complete compromise of the XWiki instance, including disclosure, modification or deletion of data (complete violation of confidentiality, integrity and availability).

Mitigation & patch

XWiki Remote Macros should be updated to version 1.26.5, which contains a fix for the described vulnerability. Details available in vendor references (GitHub Security Advisory GHSA-5w8v-h22g-j2mp).

Who is affected

XWiki Remote Macros (xwiki-pro-macros) in versions from 1.0 to earlier than 1.26.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References