Metrics
Affected Vendors & Products
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Thu, 11 Sep 2025 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* |
Thu, 21 Aug 2025 12:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Xwiki
Xwiki xwiki |
|
Vendors & Products |
Xwiki
Xwiki xwiki |
Wed, 20 Aug 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-79 CWE-94 |
|
Metrics |
cvssV3_1
|
Wed, 20 Aug 2025 15:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields. | |
References |
|

Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2025-08-20T15:43:26.008Z
Reserved: 2025-06-16T00:00:00.000Z
Link: CVE-2025-51991

Updated: 2025-08-20T15:42:22.098Z

Status : Analyzed
Published: 2025-08-20T15:15:33.327
Modified: 2025-09-11T13:50:55.417
Link: CVE-2025-51991

No data.

Updated: 2025-08-21T12:31:02Z