Volerion logoVolerion
Volerion logoVolerion

XWiki Remote Macros Panel Macro Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in the XWiki Remote Macros panel macro, affecting versions 1.0 through 1.26.5. The issue arises from the classes parameter being used without proper escaping, allowing for XWiki syntax injection. This vulnerability can be exploited by any user who can edit a page.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where XWiki is hosted.

Reproduction

To reproduce this vulnerability, add the panel macro to a page and input a crafted payload in the classes parameter that exploits the missing escaping. Alternatively, the vulnerability can be reproduced by using the Office document viewer macro to access internal files, as demonstrated in XWIKI-20449.

Remediation

Users can update to XWiki Remote Macros version 1.26.5 or later, where this vulnerability has been patched.

Added: Sep 9, 2025, 7:28 PM
Updated: Sep 9, 2025, 7:28 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
10.0
exploitability
9.7
remediation
7.7
relevance
0.5
threat
6.5
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.