CVE-2025-32969
9.825.20%
HQL Hell: Breaking XWiki with a Single Quote and a Dream
Alon Barad
Software EngineerJan 3, 2026·7 min read·19 visits
Weaponized
Executive Summary (TL;DR)
XWiki exposed a REST endpoint that accepts HQL queries. Due to a flaw in how 'short-form' queries were validated versus how they were executed, attackers can escape the HQL context. This results in unauthenticated Blind SQL Injection, leading to full database compromise and potential RCE. Rated CVSS 9.8.
A critical unauthenticated HQL injection vulnerability in XWiki's REST API allows attackers to break out of the Hibernate Query Language abstraction and execute raw SQL on the underlying database.
Fix Analysis (1)
Technical Appendix
CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS Probability
25.20%
Top 4% most exploited
5,000
Estimated exposed hosts via Shodan
Affected Systems
XWiki Platform < 15.10.16XWiki Platform 16.0.0-rc-1 to < 16.4.6XWiki Platform 16.5.0-rc-1 to < 16.10.1
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
XWiki Platform XWiki | 1.8 - < 15.10.16 | 15.10.16 |
XWiki Platform XWiki | 16.0.0 - < 16.4.6 | 16.4.6 |
XWiki Platform XWiki | 16.5.0 - < 16.10.1 | 16.10.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-89 (SQL Injection) |
| Attack Vector | Network (REST API) |
| CVSS v3.1 | 9.8 (Critical) |
| CVSS v4.0 | 9.3 (Critical) |
| EPSS Score | 25.20% |
| EPSS Percentile | 96th Percentile |
| Exploit Status | PoC Available |
| Impact | Confidentiality, Integrity, Availability |
MITRE ATT&CK Mapping
CWE-89
SQL Injection
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Known Exploits & Detection
Vulnerability Timeline
Fix committed to GitHub repository
2024-12-06
Public Disclosure / GHSA Published
2025-04-23
Nuclei Template Verified
2025-08-28