Cyber Posture

CVE-2025-66474

HighPublic PoC

Published: 10 December 2025

Published
10 December 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0067 71.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}}…

more

injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through patching directly fixes the insufficient {{/html}} injection protection in XWiki Rendering, preventing RCE via script macros.

SI-10 Information Input Validation good match
prevent

Information input validation neutralizes malicious wiki syntax and HTML inputs, blocking injection of executable Groovy and Python macros during rendering.

AC-6 Least Privilege partial match
prevent

Least privilege restricts document and profile edit permissions to essential users only, limiting the attack surface for low-privileged authenticated exploitation.

Security SummaryAI

CVE-2025-66474 is an insufficient protection against {{/html}} injection vulnerability in XWiki Rendering, a generic rendering system that converts textual input from syntaxes like wiki syntax or HTML into formats such as XHTML. The flaw affects XWiki Rendering versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0. It is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Improper Control of Generation of Code).

Any authenticated user with permission to edit their own profile or any other document can exploit this vulnerability over the network with low complexity. Successful exploitation allows execution of arbitrary script macros, such as Groovy and Python, leading to remote code execution on the server as well as unrestricted read and write access to all wiki contents.

The issue is fixed in XWiki Rendering versions 16.10.10, 17.4.3, and 17.6.0-rc-1, as detailed in the project's GitHub commits, security advisory (GHSA-9xc6-c2rm-f27p), and Jira tickets XRENDERING-693 and XRENDERING-792. Security practitioners should prioritize upgrading affected instances to patched versions to mitigate the risk of RCE.

Details

CWE(s)
CWE-95CWE-94

Affected Products

xwiki
xwiki-rendering
17.5.0 · ≤ 16.10.10 · 17.0.0 — 17.4.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability is an HTML injection in a public-facing web application (XWiki Rendering) exploitable by low-privileged authenticated users (T1190), leading to arbitrary macro/script execution (Groovy/Python) for server RCE, enabling privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References