Critical Vulnerability Information Vulnerability Title No required right warnings for XClass definitions Severity High CVSS v4 base metrics: 8.6 / 10 Affected Scope Package: Affected versions: - - - Patched versions: - - - Description and Impact An attacker without script or programming rights can create an XClass definition in XWiki (which requires edit rights). If this document is later edited by a user with script, admin, or programming rights, malicious code may execute with the privileges of the editing user, without prior warning. This specifically affects custom display code, scripts in computed properties, and queries in database list properties. Patch Fixed in XWiki 16.10.2, 16.4.7, and 15.10.16 by adding analysis of corresponding XClass attributes. Mitigation No practical mitigation exists currently, except to be cautious when editing documents previously modified by untrusted users. References https://jira.xwiki.org/browse/XWIKI-22476 CVE ID CVE-2025-49585 Weakness No CWEs