RCE in Xwiki Xwiki-rendering

CVE-2025-66474

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 ha…

EPSS: 0.007 (71.9th percentile) — read the EPSS interpretation.

Affected products

Xwiki Xwiki-rendering — versions < 16.10.10, >= 17.0.0-rc-1, < 17.4.3, >= 17.5.0-rc-1, < 17.6.0-rc-1

Weakness classification (CWE)

CWE-95 — Eval Injection

References

https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p (x_refsource_CONFIRM)
https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11 (x_refsource_MISC)
https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49 (x_refsource_MISC)
https://jira.xwiki.org/browse/XRENDERING-693 (x_refsource_MISC)
https://jira.xwiki.org/browse/XRENDERING-792 (x_refsource_MISC)
https://jira.xwiki.org/browse/XRENDERING-793 (x_refsource_MISC)
https://jira.xwiki.org/browse/XWIKI-23378 (x_refsource_MISC)