{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "13.5-rc-1"
              },
              {
                "fixed": "15.10.13"
              }
            ]
          },
          "events": [
            {
              "introduced": "f36d6f0081ab89ac8ba6a8176e542d646defaabd"
            },
            {
              "fixed": "97e8f148873bd95834ed6f93e564bbf77070ea2b"
            }
          ],
          "repo": "https://github.com/xwiki/xwiki-platform",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "16.0.0-rc-1"
              },
              {
                "fixed": "16.4.4"
              }
            ]
          },
          "events": [
            {
              "introduced": "6f103dbca9c98cf3b53bfadb83d982facb198d56"
            },
            {
              "fixed": "c20d0fd69f97fd2d2eaa6c78d785f2097ed5a5d0"
            }
          ],
          "repo": "https://github.com/xwiki/xwiki-platform",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "16.5.0-rc-1"
              },
              {
                "fixed": "16.8.0"
              }
            ]
          },
          "events": [
            {
              "introduced": "ed06c998964cae931ccfe7005a67eeaedaf60e58"
            },
            {
              "fixed": "49af0ac677c5f80e29ec8044c81ac51d3161152a"
            }
          ],
          "repo": "https://github.com/xwiki/xwiki-platform",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-pjhg-9wr9-rj96"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-601"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32970.json"
  },
  "details": "XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0.",
  "id": "CVE-2025-32970",
  "modified": "2026-04-01T23:10:09.213981314Z",
  "published": "2025-04-30T14:54:52.008Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22487"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32970.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pjhg-9wr9-rj96"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32970"
    },
    {
      "type": "FIX",
      "url": "https://github.com/xwiki/xwiki-platform/commit/6dab7909f45deb00efd36a0cd47788e95ad64802"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability"
}