CVE-2025-66474 is a critical security vulnerability classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, commonly known as Eval Injection) affecting the XWiki Rendering system. XWiki Rendering converts input in various syntaxes into XHTML and other formats. The vulnerability exists in versions prior to 16.10.10, between 17.0.0-rc-1 and 17.4.2, and between 17.5.0-rc-1 and 17.5.0 due to insufficient sanitization of the {{/html}} directive. This flaw allows an attacker with the ability to edit their own profile or any wiki document to inject and execute arbitrary script macros, including Groovy and Python code. These macros run with the privileges of the wiki application, enabling remote code execution (RCE) on the server hosting the wiki. The attacker gains unrestricted read and write access to all wiki content, potentially leading to data exfiltration, data tampering, or full system compromise. The vulnerability requires no user interaction and no elevated privileges beyond edit rights, making it highly exploitable in environments where users have editing capabilities. The issue is addressed in patched versions 16.10.10, 17.4.3, and 17.6.0-rc-1. The CVSS v4.0 base score is 8.7 (high severity), reflecting network attack vector, low attack complexity, no privileges required beyond edit rights, no user interaction, and high impact on confidentiality, integrity, and availability. Although no active exploits have been reported, the vulnerability's nature and impact make it a critical risk for organizations using affected XWiki versions.

For European organizations, this vulnerability presents a significant threat to the confidentiality, integrity, and availability of sensitive information managed within XWiki platforms. Many enterprises, educational institutions, and government agencies in Europe rely on XWiki for internal documentation, collaboration, and knowledge management. Successful exploitation could lead to unauthorized disclosure of sensitive data, modification or deletion of critical documents, and potential lateral movement within the network if the attacker gains code execution on the server. This could disrupt business operations, damage organizational reputation, and lead to regulatory compliance violations under GDPR due to data breaches. The ability to execute arbitrary code remotely without requiring elevated privileges or user interaction increases the risk of widespread compromise, especially in environments with multiple users having edit rights. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the vulnerability’s characteristics suggest it could be rapidly weaponized by threat actors targeting European entities.

1. Immediate upgrade to patched versions of XWiki Rendering: 16.10.10, 17.4.3, or 17.6.0-rc-1 as applicable. 2. Restrict edit permissions strictly to trusted users; review and minimize the number of users with rights to edit profiles or wiki pages. 3. Implement application-level input validation and sanitization to detect and block script macro injections, especially those involving Groovy or Python code. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the {{/html}} injection vector. 5. Monitor wiki server logs for unusual macro execution or unauthorized profile edits indicative of exploitation attempts. 6. Isolate the wiki server within a segmented network zone with limited access to critical backend systems to contain potential compromises. 7. Conduct regular security audits and penetration testing focused on wiki platforms to identify and remediate similar injection flaws. 8. Educate users about the risks of unauthorized content editing and enforce strong authentication and session management to prevent account takeover. 9. Backup wiki content regularly and verify integrity to enable rapid recovery in case of data tampering or deletion.