CVE-2025-49583 is a medium-severity vulnerability affecting the XWiki platform, a widely used generic wiki software. The issue stems from a privilege context switching error (CWE-270) related to the handling of notification email templates. Specifically, when a user without script rights creates a document containing an object of the class `XWiki.Notifications.Code.NotificationEmailRendererClass`, the email templates embedded in this object are later used for notifications when an administrator edits and saves that document. Although these templates support Velocity scripting code, the platform's existing generic analyzer warns administrators before they edit any Velocity code, preventing direct execution of malicious scripts. The primary risk is that attackers could abuse this mechanism to send spam emails, potentially containing phishing links, or to conceal notifications about other attacks by manipulating notification content. This could facilitate social engineering attacks or reduce the visibility of ongoing compromises. The vulnerability affects XWiki versions prior to 15.10.16, versions between 16.0.0-rc-1 and 16.4.7, and versions between 16.5.0-rc-1 and 16.10.2. The issue was addressed in versions 15.10.16, 16.4.7, and 16.10.2 by implementing enhanced analysis of the relevant XClass properties to detect and block dangerous templates. Notably, warning prompts before editing documents with dangerous properties were introduced only in version 15.9; earlier versions lacked such safeguards, increasing risk. The CVSS 4.0 base score is 5.1 (medium), reflecting network exploitability without authentication but requiring some privilege (limited user rights) and user interaction (admin editing). No known exploits are reported in the wild as of publication. Overall, the vulnerability allows limited privilege escalation in the context of notification emails, primarily enabling spam or phishing campaigns rather than direct code execution or system compromise.

For European organizations using affected versions of XWiki, the vulnerability could lead to increased phishing and spam campaigns originating from legitimate internal systems, potentially undermining trust in internal communications and increasing the risk of credential theft or malware infection. Since the vulnerability does not allow direct code execution or system takeover, the impact on system integrity and availability is limited. However, the ability to manipulate notification emails could be exploited to hide indicators of other attacks or to socially engineer users into unsafe actions. Organizations with large user bases or critical collaboration platforms relying on XWiki are at greater risk of reputational damage and operational disruption due to phishing. Additionally, sectors with stringent regulatory requirements for data protection and communication integrity (e.g., finance, healthcare, government) may face compliance risks if phishing campaigns lead to data breaches. The medium severity and lack of known exploits suggest a moderate but non-negligible threat, especially if attackers combine this vulnerability with other attack vectors.

1. Upgrade all XWiki instances to the patched versions: 15.10.16, 16.4.7, or 16.10.2, depending on the current version branch. 2. For environments where immediate patching is not feasible, restrict document creation permissions to trusted users only, especially limiting the ability to create objects of the class `XWiki.Notifications.Code.NotificationEmailRendererClass`. 3. Implement strict review and approval workflows for any document edits involving Velocity templates or notification-related objects, ensuring that administrators are aware of potential risks before saving changes. 4. Enhance monitoring of outgoing notification emails for unusual patterns, such as unexpected links or mass mailings, to detect potential abuse early. 5. Educate administrators and users about the risks of phishing and the importance of scrutinizing notification content, especially when editing or approving templates. 6. Consider deploying email security solutions with advanced phishing detection and URL filtering to mitigate the impact of any spam or phishing emails generated via this vulnerability. 7. Audit existing documents for the presence of `NotificationEmailRendererClass` objects created by non-privileged users and remove or sanitize them as necessary.