CVE-2025-58365

Description

### Impact The blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user profile. To exploit, it is sufficient to add an object of type `Blog.BlogPostClass` to any page and to add some script macro with the exploit code to the "Content" field of that object. ### Patches The vulnerability has been patched in the blog application version 9.14 by executing the content of blog posts with the rights of the appropriate author. ### Workarounds We're not aware of any workarounds. ### Resources * https://jira.xwiki.org/browse/BLOG-191 * https://github.com/xwiki-contrib/application-blog/commit/b98ab6f17da3029576f42d12b4442cd555c7e0b4

How to fix CVE-2025-58365

To remediate CVE-2025-58365, upgrade the affected package to a fixed version below.

• —upgrade to 9.14 or later

Is CVE-2025-58365 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 9.14

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-58365
• PATCHgithub.com/xwiki-contrib/application-blog
• WEBgithub.com/xwiki-contrib/application-blog/commit/b98ab6f17da3029576f42d12b4442cd555c7e0b4
• WEBgithub.com/xwiki-contrib/application-blog/security/advisories/GHSA-gwj6-xpfg-pxwr