{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/xwiki-pro-macros--1.13--1.14.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["xwiki-pro-macros (\u003e= 1.13, \u003c 1.14.5)"],"_cs_severities":["critical"],"_cs_tags":["xwiki","rce","vulnerability","java","web-application"],"_cs_type":"advisory","_cs_vendors":["XWiki"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-44179, affects XWiki Pro Macros versions 1.13 through 1.14.4. This flaw enables remote code execution (RCE) on affected XWiki installations. The vulnerability stems from the \u003ccode\u003eexcerpt-include\u003c/code\u003e macro's failure to properly escape the title of an included page and its execution of excerpt content with elevated rights. This allows for XWiki syntax injection, where an attacker with basic page editing privileges can embed malicious Groovy code within a page's title or content. When this page is subsequently rendered or included by the \u003ccode\u003eexcerpt-include\u003c/code\u003e macro, the embedded code is executed, providing the attacker with full control over the XWiki instance. This impacts the confidentiality, integrity, and availability of the entire XWiki system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains or already possesses valid credentials to an XWiki instance with page editing permissions, even without specific script or programming rights.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new XWiki page, for example, named \u0026quot;Exploit\u0026quot;, using the standard page creation interface.\u003c/li\u003e\n\u003cli\u003eThe attacker then edits the \u0026quot;Exploit\u0026quot; page and maliciously modifies its title to include an XWiki Groovy Remote Code Execution (RCE) payload, such as \u003ccode\u003e{{async}}{{groovy}}println(\u0026quot;Malicious Code\u0026quot;){{/groovy}}{{/async}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker embeds the vulnerable \u003ccode\u003eexcerpt-include\u003c/code\u003e macro within the content of the same \u0026quot;Exploit\u0026quot; page, configured to include itself (e.g., \u003ccode\u003e{{excerpt-include 0=\u0026quot;Exploit.WebHome\u0026quot;}}{{/excerpt-include}}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eConcurrently, the attacker injects another Groovy RCE payload directly into an \u003ccode\u003e{{excerpt}}\u003c/code\u003e block within the page's content, which will also be processed by the macro.\u003c/li\u003e\n\u003cli\u003eUpon saving or rendering the \u0026quot;Exploit\u0026quot; page, the XWiki engine processes the \u003ccode\u003eexcerpt-include\u003c/code\u003e macro, which, due to improper escaping, executes the embedded Groovy code from the page's title and content.\u003c/li\u003e\n\u003cli\u003eThe embedded Groovy code runs with the \u003ccode\u003eexcerpt-include\u003c/code\u003e macro's rights, leading to successful Remote Code Execution on the underlying XWiki server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-44179 leads to remote code execution on the XWiki server. This allows an attacker to execute arbitrary commands, compromise the integrity of the XWiki data, exfiltrate sensitive information, or disrupt the availability of the service. While no specific victim count is provided, the vulnerability affects all XWiki installations using the \u003ccode\u003exwiki-pro-macros\u003c/code\u003e package within the vulnerable version range, posing a significant risk to any organization relying on XWiki for content management and collaboration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching XWiki Pro Macros to version 1.14.5 or later to remediate CVE-2026-44179 immediately.\u003c/li\u003e\n\u003cli\u003eReview XWiki audit logs for any unusual page title modifications or new page creations containing suspicious syntax like \u003ccode\u003e{{async}}{{groovy}}\u003c/code\u003e or \u003ccode\u003eprintln(\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls for XWiki page editing, adhering to the principle of least privilege, even though this vulnerability bypasses typical script execution restrictions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:06:27Z","date_published":"2026-07-03T11:06:27Z","id":"https://feed.craftedsignal.io/briefs/2026-07-xwiki-pro-macros-rce/","summary":"A critical vulnerability, CVE-2026-44179, exists in XWiki Pro Macros versions before 1.14.5, allowing remote code execution for any user with page editing rights due to improper escaping of page titles and content processed by the excerpt-include macro, leading to XWiki syntax injection and full compromise of the XWiki installation.","title":"XWiki Pro Macros Remote Code Execution via Excerpt-Include Macro (CVE-2026-44179)","url":"https://feed.craftedsignal.io/briefs/2026-07-xwiki-pro-macros-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Xwiki-Pro-Macros (\u003e= 1.13, \u003c 1.14.5)","version":"https://jsonfeed.org/version/1.1"}