CVE-2025-66024 in xwiki-contrib application-blog-uiinformação

Sumário (Inglês)

The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation. The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping. No known workarounds are available.

Responsável

GitHub_M

Reservar

21/11/2025

Divulgação

05/03/2026

Inscrições

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerabilidade	CWE	Exp	Con	CVE
348875	xwiki-contrib application-blog-ui Blog Post Title Script de Site Cruzado	79	Não definido	Correção oficial	CVE-2025-66024

Descrição

CPE

CWE

CVSS

Explorações

História

Diferença

Relacionar

Inteligência de ameaças

API JSON

API XML

API CSV

◂ VoltarVisão GeralPróximo ▸

Interested in the pricing of exploits?

See the underground prices here!