Platform
java
Component
org.xwiki.contrib.markdown:syntax-markdown-commonmark12
Fixed in
8.2.1
8.9
CVE-2025-46558 represents a critical Cross-Site Scripting (XSS) vulnerability within the XWiki Markdown Syntax 1.2 component. This flaw allows attackers to inject malicious JavaScript code through Markdown syntax, leading to potential compromise of user data and system integrity. The vulnerability impacts XWiki installations using versions prior to 8.9, and a fix is available in version 8.9.
The impact of this XSS vulnerability is significant. An attacker can embed JavaScript code within Markdown content, which will then be executed in the browsers of any user who views the document or comment containing the malicious code. This allows for a wide range of attacks, including session hijacking, defacement of the XWiki instance, and theft of sensitive data. Crucially, if the attacker can execute this code with administrative or programming privileges, the entire XWiki installation is at risk, potentially leading to complete system compromise. The ability to inject arbitrary JavaScript effectively bypasses standard security controls and grants the attacker a high degree of control over affected users' sessions.
CVE-2025-46558 was publicly disclosed on April 30, 2025. The vulnerability's ease of exploitation, combined with the potential for widespread impact, suggests a medium to high probability of exploitation. While no public proof-of-concept (PoC) code has been widely reported, the XSS nature of the vulnerability makes it relatively straightforward to develop and deploy. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting XWiki installations.
Exploit Status
EPSS
3.03% (87% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-46558 is to upgrade XWiki to version 8.9 or later, which contains the necessary fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds. These may include strict input validation of Markdown content, disabling the CommonMark Markdown Syntax 1.2 extension if not essential, and employing a Web Application Firewall (WAF) with rules to detect and block malicious JavaScript injection attempts. Regularly review XWiki configuration and user permissions to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload within a Markdown document and verifying that it is not executed.
Update the Syntax Markdown plugin to version 8.9 or higher. This version contains a fix for the XSS vulnerability. The update can be performed through the XWiki administration interface.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-46558 is a critical XSS vulnerability in XWiki's Markdown Syntax 1.2 component, allowing attackers to inject JavaScript code via Markdown, potentially compromising user sessions and the entire XWiki installation.
You are affected if you are using XWiki with the CommonMark Markdown Syntax 1.2 extension installed and have not upgraded to version 8.9 or later.
Upgrade XWiki to version 8.9 or later. As a temporary workaround, consider disabling the extension or implementing strict input validation and WAF rules.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for active campaigns. Continuous monitoring is recommended.
Refer to the official XWiki security advisory for detailed information and updates: [https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories](https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.