Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/30160?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30160?format=api", "vulnerability_id": "VCID-4n2t-crsf-87gr", "summary": "XWiki allows remote code execution through preview of XClass changes in AWM editor\n### Impact\nAny XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. The detailed reproduction steps can be found in the [original bug report](https://jira.xwiki.org/browse/XWIKI-22719).\n\n### Patches\nThis vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.\n\n### Workarounds\nRestricting edit rights on all existing App Within Minutes applications to trusted users mitigates at least the PoC exploit, but we can't exclude that there are other ways to exploit this vulnerability.", "aliases": [ { "alias": "CVE-2025-49586" }, { "alias": "GHSA-jp4x-w9cj-97q7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69929?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.4.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.4.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/70939?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/70940?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/570537?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@7.2-milestone-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4n2t-crsf-87gr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@7.2-milestone-2" }, { "url": "http://public2.vulnerablecode.io/api/packages/570348?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.5.0-rc-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2act-yfey-vfgf" }, { "vulnerability": "VCID-3m9j-nt38-x3hq" }, { "vulnerability": "VCID-4n2t-crsf-87gr" }, { "vulnerability": "VCID-f872-dkzj-ufac" }, { "vulnerability": "VCID-p59s-q94b-9kb6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.5.0-rc-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/570538?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0-rc-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3m9j-nt38-x3hq" }, { "vulnerability": "VCID-4n2t-crsf-87gr" }, { "vulnerability": "VCID-4tnv-dtd4-ubc5" }, { "vulnerability": "VCID-p59s-q94b-9kb6" }, { "vulnerability": "VCID-zha9-bprb-6ucp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0-rc-1" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49586", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04551", "scoring_system": "epss", "scoring_elements": "0.89147", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.04551", "scoring_system": "epss", "scoring_elements": "0.89182", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.04551", "scoring_system": "epss", "scoring_elements": "0.89165", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.04551", "scoring_system": "epss", "scoring_elements": "0.89162", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.09249", "scoring_system": "epss", "scoring_elements": "0.92748", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.09249", "scoring_system": "epss", "scoring_elements": "0.9272", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.09249", "scoring_system": "epss", "scoring_elements": "0.92726", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.09249", "scoring_system": "epss", "scoring_elements": "0.92725", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.09249", "scoring_system": "epss", "scoring_elements": "0.92736", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.09249", "scoring_system": "epss", "scoring_elements": "0.9274", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.09249", "scoring_system": "epss", "scoring_elements": "0.92743", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.09249", "scoring_system": "epss", "scoring_elements": "0.92744", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.09249", "scoring_system": "epss", "scoring_elements": "0.92739", "published_at": "2026-04-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49586" }, { "reference_url": "https://github.com/xwiki/xwiki-platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-06-13T18:07:25Z/" } ], "url": "https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-06-13T18:07:25Z/" } ], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7" }, { "reference_url": "https://jira.xwiki.org/browse/XWIKI-22719", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-06-13T18:07:25Z/" } ], "url": "https://jira.xwiki.org/browse/XWIKI-22719" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49586", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49586" }, { "reference_url": "https://github.com/advisories/GHSA-jp4x-w9cj-97q7", "reference_id": "GHSA-jp4x-w9cj-97q7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jp4x-w9cj-97q7" } ], "weaknesses": [ { "cwe_id": 863, "name": "Incorrect Authorization", "description": "The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4n2t-crsf-87gr" }