GHSA-7vpr-jm38-wr7w: XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-66472

XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

Moderate severity GitHub Reviewed Published Dec 10, 2025 in xwiki/xwiki-platform • Updated Dec 10, 2025

Package

maven org.xwiki.platform:xwiki-platform-flamingo-skin-resources (Maven)

Affected versions

>= 6.2-milestone-1, < 16.10.10

>= 17.0.0-rc-1, < 17.4.2

Patched versions

16.10.10

17.4.2

maven org.xwiki.platform:xwiki-platform-web-templates (Maven)

>= 6.2-milestone-1, < 16.10.10

>= 17.0.0-rc-1, < 17.4.2

Impact

A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the “No” button. When the victim has admin or programming right, this allows the attacker to execute basically arbitrary actions on the XWiki installation including remote code execution.

Patches

This vulnerability has been patched in XWiki 16.10.10, 17.4.2 and 17.5.0 by using the affected URL parameter only in the intended context.

Workarounds

The patch can be manually applied to the templates that are present in the WAR. A restart of XWiki is needed for the changes to be applied.

References

• GHSA-7vpr-jm38-wr7w
• xwiki/xwiki-platform@cb578b1
• https://jira.xwiki.org/browse/XWIKI-23244

Published to the GitHub Advisory Database

Dec 10, 2025

Last updated

Dec 10, 2025