{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-14T22:24:35.927","vulnerabilities":[{"cve":{"id":"CVE-2025-32969","sourceIdentifier":"security-advisories@github.com","published":"2025-04-23T16:15:47.797","lastModified":"2025-04-30T15:50:37.270","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when \"Prevent unregistered users from viewing pages, regardless of the page rights\" and \"Prevent unregistered users from editing pages, regardless of the page rights\" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE\/INSERT\/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki."},{"lang":"es","value":"XWiki es una plataforma wiki genérica. En versiones a partir de la 1.8 y anteriores a las 15.10.16, 16.4.6 y 16.10.1, un usuario remoto no autenticado puede escapar del contexto de ejecución HQL y realizar una inyección SQL ciega para ejecutar sentencias SQL arbitrarias en el backend de la base de datos, incluso cuando las opciones \"Impedir que usuarios no registrados vean páginas, independientemente de sus derechos\" e \"Impedir que usuarios no registrados editen páginas, independientemente de sus derechos\" están habilitadas. Dependiendo del backend de la base de datos utilizado, el atacante podría obtener información confidencial, como hashes de contraseñas, y ejecutar consultas UPDATE\/INSERT\/DELETE. Este problema se ha corregido en las versiones 16.10.1, 16.4.6 y 15.10.16. No se conoce ningún workaround, salvo actualizar XWiki."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N\/E:X\/CR:X\/IR:X\/AR:X\/MAV:X\/MAC:X\/MAT:X\/MPR:X\/MUI:X\/MVC:X\/MVI:X\/MVA:X\/MSC:X\/MSI:X\/MSA:X\/S:X\/AU:X\/R:X\/V:X\/RE:X\/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*","versionStartIncluding":"1.8","versionEndExcluding":"15.10.16","matchCriteriaId":"A2F4E27B-4256-40AC-8DF8-62192CAD4235"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*","versionStartIncluding":"16.0.0","versionEndExcluding":"16.4.6","matchCriteriaId":"8BFE4D4B-D3CB-46DB-BAC6-2615398EA883"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*","versionStartIncluding":"16.5.0","versionEndExcluding":"16.10.1","matchCriteriaId":"8150C269-44A7-486B-A7BB-06CB0D631348"}]}]}],"references":[{"url":"https:\/\/github.com\/xwiki\/xwiki-platform\/commit\/5c11a874bd24a581f534d283186e209bbccd8113","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https:\/\/github.com\/xwiki\/xwiki-platform\/security\/advisories\/GHSA-f69v-xrj8-rhxf","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https:\/\/jira.xwiki.org\/browse\/XWIKI-22691","source":"security-advisories@github.com","tags":["Issue Tracking","Vendor Advisory"]}]}}]}