CVE-2025-66472

Description

### Impact A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the "No" button. When the victim has admin or programming right, this allows the attacker to execute basically arbitrary actions on the XWiki installation including remote code execution. ### Patches This vulnerability has been patched in XWiki 16.10.10, 17.4.2 and 17.5.0 by using the affected URL parameter only in the intended context. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2) can be manually applied to the templates that are present in the WAR. A restart of XWiki is needed for the changes to be applied.

How to fix CVE-2025-66472

To remediate CVE-2025-66472, upgrade the affected package to a fixed version below.

• —upgrade to 16.10.10 or later
• —upgrade to 16.10.10 or later

Is CVE-2025-66472 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 6.2-milestone-1, < 16.10.10
• >= 6.2-milestone-1, < 16.10.10

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-66472
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w