CVE-2025-55728 is a critical remote code execution vulnerability affecting the xwiki-pro-macros component of the XWiki platform, specifically in versions from 1.0 up to but not including 1.26.5. The vulnerability arises from improper neutralization of directives in dynamically evaluated code (CWE-95), commonly referred to as 'eval injection.' The root cause is the lack of proper escaping of the 'classes' parameter within the 'panel' macro, which is used in XWiki syntax rendering. Because the 'classes' parameter is incorporated without escaping, an attacker with permissions to edit any page can inject malicious XWiki syntax that gets evaluated dynamically, leading to remote code execution on the server hosting the XWiki instance. This vulnerability does not require authentication or user interaction beyond the ability to edit pages, which may be granted to a broad set of users in some deployments. The CVSS v3.1 score is 10.0 (critical), reflecting the vulnerability's network attack vector, low attack complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. The issue was patched in version 1.26.5 of xwiki-pro-macros. No known exploits have been reported in the wild as of the publication date (September 9, 2025). However, the severity and ease of exploitation make this a high-risk vulnerability for any affected deployments that have not applied the patch.

For European organizations using XWiki with the vulnerable xwiki-pro-macros versions, this vulnerability poses a severe risk. Successful exploitation allows an attacker to execute arbitrary code remotely on the server, potentially leading to full system compromise, data theft, data manipulation, or service disruption. Given that XWiki is often used for internal documentation, collaboration, and knowledge management, compromise could expose sensitive corporate information, intellectual property, or internal processes. The vulnerability's exploitation requires only the ability to edit a page, which may be granted to a wide range of users, increasing the attack surface. In regulated industries common in Europe, such as finance, healthcare, and government, such a breach could lead to significant compliance violations under GDPR and other data protection laws, resulting in heavy fines and reputational damage. Additionally, the ability to execute code remotely could allow attackers to pivot within the network, escalating privileges or deploying ransomware. The lack of known exploits in the wild does not diminish the urgency, as public disclosure and a critical CVSS score may prompt attackers to develop exploits rapidly.

European organizations should immediately verify their XWiki deployments for the presence of xwiki-pro-macros versions between 1.0 and 1.26.4 inclusive. The primary mitigation is to upgrade xwiki-pro-macros to version 1.26.5 or later, which contains the patch for this vulnerability. If immediate upgrade is not feasible, organizations should restrict page editing permissions to trusted users only, minimizing the risk of malicious edits. Additionally, implementing strict input validation and output escaping on the 'classes' parameter in custom macros or extensions can reduce risk. Monitoring and logging of page edits should be enhanced to detect suspicious activity. Network segmentation and application-layer firewalls can help contain potential exploitation attempts. Finally, organizations should conduct internal audits and penetration tests focusing on XWiki instances to identify any signs of compromise or attempted exploitation.