Vulnerability Description
A vulnerability in XWiki Platform allows an unauthenticated attacker to achieve remote code execution by abusing unsafe user-controlled input handling in the SolrSearch macro (SolrSearchMacros). By injecting crafted requests into the macro, an attacker can trigger server-side code execution, leading to full compromise of the XWiki instance.
| Field | Description |
| CVE-ID | CVE-2025-24893 — CVSS 9.8 — assigned by GitHub, Inc. |
| Vulnerability Description | XWiki Platform is a generic wiki platform.An unauthenticated attacker can achieve remote code execution by abusing unsafe user-controlled input handling in the SolrSearch macro (SolrSearchMacros).Crafted requests injected into the macro result in server-side code execution, allowing full compromise of the XWiki instance. |
| Date of Disclosure | February 20, 2025 |
| Affected Assets | XWiki Platform |
| Vulnerable Software Versions | XWiki Platform versions:≥ 5.3-milestone-2 and < 15.10.11≥ 16.0.0-rc-1 and < 16.4.1All deployments exposing the vulnerable SolrSearch macro to unauthenticated users are impacted. |
| PoC Available? | Yes, available on GitHub. |
| Exploitation Status | Confirmed exploitation in the wild.Added to the CISA Known Exploited Vulnerabilities (KEV) catalog on October 30, 2025 |
| Patch Status | Fixed in XWiki 15.10.11, 16.4.1, and later.Workaround: modify Main.SolrSearchMacros to change the rawResponse macro output type to application/xml. |
Censys Perspective
The following queries can be used to identify potentially exposed instances. At the time of writing, we observe 2.9k XWiki Platform instances exposed online. Note that not all of these are necessarily vulnerable.
web.software.product=”xwiki” and not web.labels.value=”HONEYPOT”
risks.name=”Vulnerable XWiki [CVE-2025-24893]”
services.software.product=”XWiki” and not labels={“honeypot”, “tarpit”}