XWiki-Platform - SQLi (CVE-2025-32429)

CVE-2025-32429 is a critical SQL injection vulnerability in XWiki Platform versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, where the 'sort' parameter in getdeleteddocuments.vm is improperly handled. This flaw allows remote attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, data manipulation, or full compromise of the underlying database.

CrowdSec has been tracking this vulnerability and its exploits since 10th of September 2025.

CrowdSec network data shows that most actors exploiting CVE-2025-32429 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. CrowdSec network telemetry also shows that exploitation of CVE-2025-32429 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit the /xwiki/rest/liveData/sources/liveTable/entries endpoint by injecting malicious SQL statements into the sort parameter, often using the sourceParams.template=getdeleteddocuments.vm query string to trigger the vulnerability.