Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65036

CVE-2025-65036: Xwiki Pro Macros RCE Vulnerability

CVE-2025-65036 is a remote code execution vulnerability in Xwiki Pro Macros caused by improper permission checks when executing Velocity code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-65036 Overview

CVE-2025-65036 is a missing authorization vulnerability [CWE-862] in XWiki Pro Macros, an extension that provides XWiki rendering macros for migrating content from Confluence. Versions prior to 1.27.1 execute Velocity code from macro details pages without performing permission checks. An authenticated attacker with low privileges can abuse this flaw to achieve remote code execution on the XWiki server. The issue is fixed in version 1.27.1.

Critical Impact

Authenticated users can execute arbitrary Velocity templates on the XWiki server, leading to remote code execution and full compromise of wiki content and the underlying host process.

Affected Products

  • XWiki Pro Macros versions prior to 1.27.1
  • XWiki instances using the Confluence migration macros
  • Component identifier: xwiki:pro_macros

Discovery Timeline

  • 2025-12-05 - CVE-2025-65036 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-65036

Vulnerability Analysis

XWiki Pro Macros bundles a set of rendering macros that mimic Confluence behavior to ease content migration. Several of these macros expose details pages that render Velocity templates supplied through macro parameters or page content. In versions before 1.27.1, the macro evaluates Velocity expressions on the server without verifying that the calling user holds programming or script rights.

Velocity is a server-side template engine integrated tightly with the XWiki platform. When Velocity executes without rights enforcement, attackers can call XWiki internal APIs, read or modify arbitrary documents, invoke Groovy or shell commands through exposed bindings, and pivot to the host operating system. The result is full remote code execution in the context of the XWiki application server.

Root Cause

The root cause is a missing authorization check before template evaluation. The macro implementation passes user-influenced content to the Velocity engine and relies on the engine to run with the privileges of the page author rather than enforcing an explicit script rights check on the requesting principal. This breaks XWiki's standard rights model, where script execution requires explicit programming rights granted by an administrator.

Attack Vector

Exploitation requires network access to the XWiki instance and a low-privileged authenticated account, with no user interaction. An attacker submits a crafted request to a vulnerable macro details endpoint containing Velocity syntax. The server evaluates the template without checking permissions and returns the rendered output, including the result of any Java method invocation reachable through Velocity bindings. The maximum impact includes arbitrary code execution, data exfiltration, and content tampering across the wiki.

No public proof-of-concept exploit is listed in the NVD references at the time of writing, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities catalog. See the GitHub Security Advisory GHSA-472x-fwh9-r82f for vendor details.

Detection Methods for CVE-2025-65036

Indicators of Compromise

  • HTTP requests targeting XWiki Pro Macros details URLs that contain Velocity directives such as #set, $services, $xwiki, or $doc
  • Unexpected child processes spawned by the XWiki Java application server, such as shells or scripting interpreters
  • Creation or modification of XWiki documents containing newly granted programming or script rights
  • Outbound network connections from the XWiki server to unfamiliar hosts shortly after macro page access

Detection Strategies

  • Review web access logs for authenticated requests to macro details pages containing template syntax in query parameters or POST bodies
  • Correlate XWiki application logs reporting Velocity evaluation with the requesting username and source IP
  • Hunt for process lineage where the XWiki or Tomcat JVM spawns sh, bash, cmd.exe, powershell.exe, or scripting binaries
  • Monitor file integrity on the XWiki data directory for new or modified .xml documents owned by low-privileged accounts

Monitoring Recommendations

  • Forward XWiki application, servlet container, and host process telemetry to a central analytics platform for correlation
  • Alert on any successful execution of Velocity macros by accounts that do not hold administrator rights
  • Baseline normal outbound traffic from the XWiki host and alert on deviations following macro interactions
  • Track installation versions of the xwiki:pro_macros extension across all XWiki nodes to confirm patch state

How to Mitigate CVE-2025-65036

Immediate Actions Required

  • Upgrade XWiki Pro Macros to version 1.27.1 or later on every XWiki instance
  • Audit user accounts and remove unnecessary edit or comment rights from untrusted users until patching completes
  • Review recent macro details page activity for signs of exploitation prior to patching
  • Rotate any credentials, API tokens, or secrets accessible to the XWiki application process if exploitation is suspected

Patch Information

The vendor fixed the issue in XWiki Pro Macros 1.27.1 by adding the missing permission check before Velocity evaluation in the affected macro details pages. Upgrade instructions and the full advisory are available in the XWiki Pro Macros Security Advisory GHSA-472x-fwh9-r82f.

Workarounds

  • Temporarily uninstall or disable the XWiki Pro Macros extension if an immediate upgrade is not feasible
  • Restrict edit and view rights on pages that expose the vulnerable macro details endpoints to administrators only
  • Place the XWiki instance behind a web application firewall rule that blocks Velocity directives in request parameters
  • Limit network reachability of the XWiki server to trusted internal users until the patch is applied
bash
# Verify the installed XWiki Pro Macros version on the server
grep -R "pro-macros" /var/lib/xwiki/data/extension/ | grep -i version

# Example: disable the extension via the XWiki Extension Manager CLI
xwiki-extension-cli uninstall com.xwiki.pro:xwiki-pro-macros-ui

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne