DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-65091: Calendar of Doom: A Critical HQL Injection in XWiki

#security #cve #cybersecurity

Calendar of Doom: A Critical HQL Injection in XWiki

Vulnerability ID: CVE-2025-65091
CVSS Score: 10.0
Published: 2026-01-09

A 10.0 CVSS critical vulnerability in the XWiki Full Calendar Macro allows unauthenticated attackers to execute arbitrary HQL queries. The vulnerability stems from a Velocity script that accepts raw SQL fragments as URL parameters, effectively exposing a database console to the internet.

TL;DR

The XWiki Full Calendar Macro contained a 'Build-Your-Own-Query' vulnerability. By passing raw HQL into the sql URL parameter, unauthenticated attackers could dump the entire database or delete content. The fix involves dropping privileges and removing the ability to pass full queries.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CVSS: 10.0 (Critical)
  • CWE: CWE-89 (SQL Injection)
  • Attack Vector: Network (HQL Injection)
  • Privileges: None (Unauthenticated)
  • Exploit Status: High Probability (Trivial)
  • Patch: Version 2.4.5

Affected Systems

  • XWiki Full Calendar Macro < 2.4.5
  • macro-fullcalendar: < 2.4.5 (Fixed in: 2.4.5)

Code Analysis

Commit: 5fdcf06

Fix for CVE-2025-65091: Removed sql param, bound classname, dropped permissions.

-  #if ("$!{request.sql}" != '')
-    #set ($hql = $request.sql)
-  #else
-    #set ($hql =", BaseObject as obj $!{request.fromsql} where doc.fullName=obj.name and obj.className='${request.classname}' $!{request.wheresql}")
-  #end
+  #set ($discard = $xcontext.dropPermissions())
+  #set ($hqlStatement =", BaseObject as obj $!{request.fromsql} where doc.fullName=obj.name and obj.className=:classname $!{request.wheresql}")
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Direct manipulation of 'sql' parameter allows dumping arbitrary database content.

Mitigation Strategies

  • Input Validation
  • Principle of Least Privilege
  • Parameter Binding

Remediation Steps:

  1. Upgrade org.xwiki.contrib:macro-fullcalendar to version 2.4.5 or later immediately.
  2. If upgrading is impossible, delete the Calendar/JSONService page from your wiki.
  3. Restrict 'View' permissions on the Calendar space to authenticated users only.

References

Read the full report for CVE-2025-65091 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)