CVE-2025-51990: XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically u...

Description

XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised.

Metrics

CVSS 3.1

4.8/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

0.46%

36.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Xwiki	Xwiki	<= 17.3.0

References

https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51990.mdExploit, Third Party Advisory

Timeline

Published: Aug 20, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-51990?

XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised.

How severe is CVE-2025-51990?

CVE-2025-51990 has a CVSS score of 4.8/10 (MEDIUM severity). The EPSS model estimates a 0.46% probability of exploitation in the next 30 days.

How do I fix CVE-2025-51990?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.