CVE-2025-66024
Published: 04 March 2026
Description
The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is…
more
injected directly into the HTML <title> tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation. The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping. No known workarounds are available.
Mitigating Controls (NIST 800-53 r5)AI
Requires output filtering and escaping of user-supplied blog post titles before insertion into HTML elements like the <title> tag, directly preventing stored XSS execution.
Mandates validation of inputs such as blog post titles to reject or sanitize malicious JavaScript payloads before storage, blocking the root cause of the stored XSS vulnerability.
Ensures timely identification, reporting, and patching of flaws like the unescaped title injection in XWiki blog versions prior to 9.15.7, eliminating the vulnerability through remediation.
Security SummaryAI
CVE-2025-66024 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the XWiki blog application in versions prior to 9.15.7. This component enables users of the XWiki platform to create and manage blog posts. The issue stems from the blog post title being injected directly into the HTML <title> tag without proper escaping, allowing malicious JavaScript to be embedded in the title field.
An attacker with low-privilege access to create or edit blog posts (PR:L) can exploit this over the network (AV:N) by injecting JavaScript into a post title. The payload requires user interaction to view the affected blog post (UI:R) but executes in the context of any viewer, including administrators, due to the changed scope (S:C). Successful exploitation can result in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), enabling session hijacking or privilege escalation, as scored at CVSS 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
The vulnerability was addressed in blog application version 9.15.7 through the addition of missing escaping for the title field, as detailed in the patch commit at https://github.com/xwiki-contrib/application-blog/commit/cca87f0a0edc2e7e049d46d51f4a4d8f78b714ba, the GitHub security advisory at https://github.com/xwiki-contrib/application-blog/security/advisories/GHSA-h2xq-h7f9-vh6c, and the associated JIRA ticket at https://jira.xwiki.org/browse/BLOG-245. No workarounds are available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS vulnerability allows low-privilege attackers to inject malicious JavaScript into blog post titles, which executes in the context of any viewer's browser (including admins), directly enabling T1080: Taint Shared Content.