How severe is CVE-2025-24893?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2025-24893?

This is classified as CWE-95, which is a common weakness in software security.

CVE-2025-24893

CRITICAL Year: 2025

CVSS v3 Score

9.8

Critical

Weakness Type

CWE-95

View all →

Vulnerability Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

CVE-2022-36010

CRITICAL

CVSS:9.8(Critical)

This library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e...

CWE-952022

CVE-2023-0090

CRITICAL

CVSS:9.8(Critical)

The webservices in Proofpoint Enterprise Protection (PPS/POD) contain a vulnerability that allows for an anonymous user to execute remote code through 'eval injection'. Exploitation requires network a...

CWE-952023

CVE-2023-26323

CRITICAL

CVSS:9.8(Critical)

A code execution vulnerability exists in the Xiaomi App market product. The vulnerability is caused by unsafe configuration and can be exploited by attackers to execute arbitrary code.

CWE-952023

CVE-2023-26477

CRITICAL

CVSS:9.8(Critical)

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeN...

CWE-952023

CVE-2023-48699

CRITICAL

CVSS:9.8(Critical)

fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with py...

CWE-952023

CVE-2024-21650

CRITICAL

CVSS:9.8(Critical)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration featu...

CWE-952024

CVE-2025-24893

Vulnerability Description

Related Vulnerabilities

CVE-2022-36010

CVE-2023-0090

CVE-2023-26323

CVE-2023-26477

CVE-2023-48699

CVE-2024-21650