CVE-2025-51991 is a Server-Side Template Injection (SSTI) vulnerability affecting XWiki versions up to and including 17.3.0. The vulnerability exists in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator user can inject malicious Apache Velocity template code into this field. Because the injected template code is rendered server-side without proper input validation or sandboxing, it allows execution of arbitrary template logic. This can lead to exposure of sensitive internal server information, such as environment variables or configuration details. In certain configurations, the vulnerability could be escalated to remote code execution (RCE), enabling an attacker to execute arbitrary commands on the server. The root cause is improper handling of dynamic template rendering in user-supplied configuration fields, which allows crafted templates to bypass security controls. Although exploitation requires administrator authentication, the impact is significant given the potential for data leakage and system compromise. No known public exploits have been reported yet, and no CVSS score has been assigned. The vulnerability was publicly disclosed on August 20, 2025.

For European organizations using XWiki as a collaboration or knowledge management platform, this vulnerability poses a serious risk. If an attacker gains administrator credentials—whether through phishing, credential reuse, or insider threat—they could exploit this SSTI flaw to execute arbitrary code or extract sensitive data from the server. This could lead to unauthorized access to confidential corporate information, disruption of business operations, and potential lateral movement within the network. Organizations in regulated sectors such as finance, healthcare, and government are particularly at risk due to the sensitivity of the data stored in XWiki instances. The ability to execute arbitrary code could also allow attackers to deploy malware or ransomware, amplifying the impact. Since the vulnerability requires administrator authentication, the threat is somewhat mitigated by strong access controls, but the risk remains high if credentials are compromised or insufficiently protected.

European organizations should immediately review and restrict administrator access to XWiki instances, enforcing strong authentication mechanisms such as multi-factor authentication (MFA). Administrators should be trained to recognize phishing and social engineering attempts to protect credentials. It is critical to monitor and audit administrative actions within XWiki to detect suspicious behavior. Although no official patch links are provided yet, organizations should closely monitor XWiki vendor advisories for patches addressing this vulnerability and apply them promptly once available. As a temporary mitigation, administrators can avoid modifying the HTTP Meta Info field or disable the Global Preferences Presentation section if feasible. Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious Velocity template syntax in HTTP requests may provide additional protection. Regular backups and incident response plans should be updated to prepare for potential exploitation scenarios.