← Back

CVE-2025-46558

nvd nist
Published: Apr 30, 2025Modified: Aug 26, 2025

JSON object

Loading...
9.0
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Exploitability: 2.3 / Impact: 6.0
Source: security-advisories@github.com (Secondary)

Description

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown syntax, it's possible for any user to embed Javascript code that will then be executed on the browser of any other user visiting either the document or the comment that contains it. In the instance that this code is executed by a user with admins or programming rights, this issue compromises the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in version 8.9.

Affected (1)

Products: Xwiki: Xwiki
Xwiki
1 product
Xwiki
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Xwiki
From 8.2 to 8.9

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
ExploitIssue Tracking

Timeline

No history available yet.