File Disclosure in XWiki Jetty (16.10.11/17.4.4/17.7.0)
CVE-2025-55749 Published on December 1, 2025
The XWiki Jetty package (XJetty) allows accessing any application file through URL
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2025-55749 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2025-55749
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 16.7.0, < 16.10.11 is affected.
- Version >= 17.0.0-rc1, < 17.4.4 is affected.
- Version >= 17.5.0, < 17.7.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.