CVE-2025-66472: XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

December 10, 2025 (updated December 11, 2025)

A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the “No” button. When the victim has admin or programming right, this allows the attacker to execute basically arbitrary actions on the XWiki installation including remote code execution.

References

github.com/advisories/GHSA-7vpr-jm38-wr7w
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2
github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w
jira.xwiki.org/browse/XWIKI-23244
nvd.nist.gov/vuln/detail/CVE-2025-66472

Code Behaviors & Features

Detect and mitigate CVE-2025-66472 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →