CVE-2025-66474 is a critical vulnerability in the xwiki-rendering component of the XWiki platform, identified as CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code, commonly known as 'Eval Injection'. XWiki Rendering converts textual inputs in various syntaxes into XHTML or other formats. Versions prior to 16.10.10, certain 17.x release candidates, and versions before 17.6.0-rc-1 suffer from insufficient sanitization of the {{/html}} directive, which attackers can exploit to inject arbitrary script macros. These macros can be Groovy or Python scripts that execute on the server, enabling remote code execution (RCE). The vulnerability requires that an attacker has the ability to edit their own profile or any other document within the wiki, which is often a low-barrier permission in many deployments. Exploitation does not require user interaction or elevated privileges beyond edit rights, making it highly accessible. Successful exploitation grants attackers unrestricted read and write access to all wiki content, potentially allowing data exfiltration, defacement, or pivoting to other internal systems. The vulnerability has a CVSS 4.0 base score of 8.7 (high severity) with network attack vector, low attack complexity, no privileges required beyond edit rights, and no user interaction needed. The issue was publicly disclosed on December 10, 2025, and fixed in versions 16.10.10, 17.4.3, and 17.6.0-rc-1. No known exploits in the wild have been reported yet, but the ease of exploitation and impact make it a critical risk for affected organizations.

For European organizations, this vulnerability poses a significant threat to confidentiality, integrity, and availability of internal wiki systems used for documentation, collaboration, and knowledge sharing. Compromise could lead to unauthorized disclosure of sensitive corporate or governmental information, manipulation or deletion of critical documentation, and potential lateral movement within networks if the wiki server is connected to internal infrastructure. Organizations relying on XWiki for regulated environments or critical operations face compliance and operational risks. The ability for attackers to execute arbitrary code remotely without requiring high privileges or user interaction increases the likelihood of successful attacks. Disruption of wiki services could also impact business continuity and employee productivity. Given the widespread use of XWiki in European public sector, education, and enterprises, the potential impact is broad and severe.

1. Immediately upgrade all affected XWiki instances to the fixed versions: 16.10.10, 17.4.3, or 17.6.0-rc-1 or later. 2. Restrict edit permissions strictly to trusted users; audit and minimize who can edit profiles or documents to reduce attack surface. 3. Implement web application firewalls (WAF) with custom rules to detect and block suspicious macro injection patterns, especially those involving {{/html}} directives or script macros. 4. Monitor wiki logs for unusual macro execution or edits, focusing on Groovy and Python macro usage. 5. Conduct internal security reviews and penetration testing to verify no residual injection vectors remain. 6. Educate administrators and users about the risks of macro injection and safe editing practices. 7. Isolate wiki servers from critical internal networks where possible to limit lateral movement in case of compromise. 8. Regularly back up wiki content and verify restoration procedures to mitigate data loss from potential attacks.