How severe is CVE-2025-32969?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2025-32969?

This is classified as CWE-89, which is a common weakness in software security.

CVE-2025-32969 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.

Related Vulnerabilities

CVE-2005-4891

CRITICAL

CVSS:9.8(Critical)

Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.

CWE-892005

CVE-2006-5603

CRITICAL

CVSS:9.8(Critical)

SQL injection vulnerability in pop_mail.asp in Snitz Forums 2000 3.4.06 allows remote attackers to execute arbitrary SQL commands via the RC parameter. NOTE: the provenance of this information is unkn...

CWE-892006

CVE-2007-10002

CRITICAL

CVSS:9.8(Critical)

A vulnerability, which was classified as critical, has been found in web-cyradm. Affected by this issue is some unknown functionality of the file auth.inc.php. The manipulation of the argument login/l...

CWE-892007

CVE-2007-2534

CRITICAL

CVSS:9.8(Critical)

Multiple SQL injection vulnerabilities in admin.php in phpHoo3 allow remote attackers to execute arbitrary SQL commands via the (1) ADMIN_USER (USER) and (2) ADMIN_PASS (PASS) parameters during a logi...

CWE-892007

CVE-2007-3652

CRITICAL

CVSS:9.8(Critical)

SQL injection vulnerability in class/page.php in Farsi Script (aka FaScript) FaName 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: this might be the same iss...

CWE-892007

CVE-2008-10003

CRITICAL

CVSS:9.8(Critical)

A vulnerability was found in iGamingModules flashgames 1.1.0. It has been classified as critical. Affected is an unknown function of the file game.php. The manipulation of the argument lid leads to sq...

CWE-892008