CVE-2025-65036

High

Published: 05 December 2025

Published

05 December 2025

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0093 76.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is…

fixed in 1.27.1.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations before executing Velocity code from details pages, directly addressing the missing permission checks that enable RCE.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw by timely patching to XWiki Remote Macros version 1.27.1, which adds the required permission checks.

AC-6 Least Privilege partial match

prevent

Applies least privilege to restrict low-privilege users from executing arbitrary Velocity code, limiting the vulnerability's exploitation scope.

Security SummaryAI

CVE-2025-65036 affects XWiki Remote Macros, a component that provides XWiki rendering macros for migrating content from Confluence. In versions prior to 1.27.1, the macro executes Velocity code from details pages without performing permission checks, enabling remote code execution. The vulnerability is associated with CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for significant impact.

An attacker with low-privilege access, such as a registered user on the XWiki instance, can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious content in details pages, the attacker can trigger unauthorized Velocity execution, achieving remote code execution on the server. This grants high confidentiality and integrity impacts, with low availability disruption, allowing data exfiltration, modification, or other server-side actions.

The vulnerability is addressed in XWiki Remote Macros version 1.27.1, which introduces proper permission checks to prevent unauthorized Velocity execution. Security practitioners should update to this version immediately. Additional details are available in the GitHub Security Advisory at https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f.

Details

CWE(s): CWE-862

Affected Products

xwiki

pro macros

≤ 1.27.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution via exploitation of a public-facing web application (XWiki) through missing authorization in Remote Macros, directly mapping to T1190. It specifically involves server-side template injection with Velocity code execution, mapping to T1221.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f
Vendor Advisory · security-advisories@github.com