XWiki Pro Macros Remote Code Execution via Excerpt-Include Macro (CVE-2026-44179)
A critical vulnerability, CVE-2026-44179, exists in XWiki Pro Macros versions before 1.14.5, allowing remote code execution for any user with page editing rights due to improper escaping of page titles and content processed by the excerpt-include macro, leading to XWiki syntax injection and full compromise of the XWiki installation.
A critical vulnerability, tracked as CVE-2026-44179, affects XWiki Pro Macros versions 1.13 through 1.14.4. This flaw enables remote code execution (RCE) on affected XWiki installations. The vulnerability stems from the excerpt-include macro's failure to properly escape the title of an included page and its execution of excerpt content with elevated rights. This allows for XWiki syntax injection, where an attacker with basic page editing privileges can embed malicious Groovy code within a page's title or content. When this page is subsequently rendered or included by the excerpt-include macro, the embedded code is executed, providing the attacker with full control over the XWiki instance. This impacts the confidentiality, integrity, and availability of the entire XWiki system.
Attack Chain
- An attacker gains or already possesses valid credentials to an XWiki instance with page editing permissions, even without specific script or programming rights.
- The attacker creates a new XWiki page, for example, named "Exploit", using the standard page creation interface.
- The attacker then edits the "Exploit" page and maliciously modifies its title to include an XWiki Groovy Remote Code Execution (RCE) payload, such as
{{async}}{{groovy}}println("Malicious Code"){{/groovy}}{{/async}}. - The attacker embeds the vulnerable
excerpt-includemacro within the content of the same "Exploit" page, configured to include itself (e.g.,{{excerpt-include 0="Exploit.WebHome"}}{{/excerpt-include}}). - Concurrently, the attacker injects another Groovy RCE payload directly into an
{{excerpt}}block within the page's content, which will also be processed by the macro. - Upon saving or rendering the "Exploit" page, the XWiki engine processes the
excerpt-includemacro, which, due to improper escaping, executes the embedded Groovy code from the page's title and content. - The embedded Groovy code runs with the
excerpt-includemacro's rights, leading to successful Remote Code Execution on the underlying XWiki server.
Impact
The successful exploitation of CVE-2026-44179 leads to remote code execution on the XWiki server. This allows an attacker to execute arbitrary commands, compromise the integrity of the XWiki data, exfiltrate sensitive information, or disrupt the availability of the service. While no specific victim count is provided, the vulnerability affects all XWiki installations using the xwiki-pro-macros package within the vulnerable version range, posing a significant risk to any organization relying on XWiki for content management and collaboration.
Recommendation
- Prioritize patching XWiki Pro Macros to version 1.14.5 or later to remediate CVE-2026-44179 immediately.
- Review XWiki audit logs for any unusual page title modifications or new page creations containing suspicious syntax like
{{async}}{{groovy}}orprintln(. - Implement strong access controls for XWiki page editing, adhering to the principle of least privilege, even though this vulnerability bypasses typical script execution restrictions.