What is CVE-2025-32429?

CVE-2025-32429 is a vulnerability in Xwiki Xwiki-platform, classified under SQL Injection. Published 2025-07-24.

Is CVE-2025-32429 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SQL Injection in Xwiki Xwiki-platform

CVE-2025-32429

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort o…

Vulnerability class: SQL Injection

EPSS: 0.846 (99.7th percentile) — read the EPSS interpretation.

Affected products

Xwiki Xwiki-platform — versions >= 9.4-rc-1, < 16.10.6, >= 17.0.0-rc-1, < 17.3.0-rc-1

Weakness classification (CWE)

CWE-89 — SQL Injection

Public proof-of-concept exploits

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq (x_refsource_CONFIRM)
https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101 (x_refsource_MISC)
https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3 (x_refsource_MISC)
https://jira.xwiki.org/browse/XWIKI-23093 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-32429?: CVE-2025-32429 is a vulnerability in Xwiki Xwiki-platform, classified under SQL Injection. Published 2025-07-24.
Is CVE-2025-32429 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.