VaultWiki Security Update: October 2025

As of October 12, security patches for October 2025 are now available.

Issue List

VWE-2025-6703 is a Denial of Service issue, where a user can use specially crafted editor URLs to process WYSIWYG content using the maximum character allowance of a desired custom field. The issue affects VaultWiki 4.1.0 RC 1 and higher, on XenForo 2.x platforms only.

VWE-2025-6704 is a Denial of Service issue, where a user can leverage the File Browser to process WYSIWYG content significantly longer than the maximum character allowance. The issue affects VaultWiki 4.0.0 Alpha 1 and higher.

VWE-2025-6705 is a Denial of Service issue, where a user can leverage the Template Inclusion editor button to process WYSIWYG content significantly longer than the maximum character allowance. The issue affects VaultWiki 4.1.0 RC 3 and higher.

VWE-2025-6706 is a Denial of Service issue, where a user can leverage the wiki editor to process WYSIWYG content longer than the maximum character allowance. The issue affects VaultWiki 4.0.0 Alpha 1 and higher, on vBulletin platforms only.

VWE-2025-6707 is a Denial of Service issue, where a user can leverage the wiki comment editor to process WYSIWYG content longer than the maximum character allowance. The issue affects VaultWiki 4.0.0 Alpha 1 and higher, on vBulletin platforms only.

VWE-2025-6709 is a Permissions Escalation issue, where a user can process WYSIWYG content using the rules for areas or custom fields that they normally do not have permission for. The issue affects VaultWiki 4.0.0 Alpha 1 and higher.

Caveat on Earlier Versions

Although the disclosure only mentions VaultWiki versions in the 4.x series to be affected, this does not mean that it is not possible to use the described vectors in earlier versions or perform denial of service attacks using said vectors. During the 3.x series and earlier, VaultWiki completely relied on vBulletin code logic to process WYSIWYG editor input. Thus, in those versions, any vulnerable behavior would be due to a flaw in vBulletin's code, rather than VaultWiki's.

Patches

The following patches address the aforementioned issue:

• 4.1.9 Patch Level 1
• 4.1.8 Patch Level 3*

*A patch was issue for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified through follow-up of a user report that was reported prior to the version's end-of-life. However, we recommend that users update to a more recent patched version.

Notes

We recommend that all users running VaultWiki in a production environment update to a patched release.