CVE-2026-26000
published 2026-02-12CVE-2026-26000: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible…
PriorityP430medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.28%
19.7th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | < 16.10.13 | 16.10.13 |
| xwiki | xwiki | >= 17.0.0 < 17.4.6 | 17.4.6 |
| xwiki | xwiki | >= 17.5.0 < 17.9.0 | 17.9.0 |
| xwiki | xwiki-platform | < 16.10.13 | 16.10.13 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki vulnerable to click-jacking through CSS injection in comments
osv·2026-02-12
CVE-2026-26000 [MEDIUM] XWiki vulnerable to click-jacking through CSS injection in comments
XWiki vulnerable to click-jacking through CSS injection in comments
### Impact
It's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. All versions of XWiki are impacted by this kind of attack.
### Patches
The problem has been patched not by preventing injecting CSS in comments, which is currently a feature of XWiki, but by requiring confirmation from users when driving them to untrusted domains after clicking on a link, thus preventing any click-jacking attack.
This security measure has been put in place in XWiki 17.9.0, 17.4.6, 16.10.13.
### Workarounds
There's no out-of-the-box workaround, but it should be possible to partly reuse [the javascript code provided for the security measure](https://github.com/xwiki/xwiki
GHSA
XWiki vulnerable to click-jacking through CSS injection in comments
ghsa·2026-02-12
CVE-2026-26000 [MEDIUM] CWE-1021 XWiki vulnerable to click-jacking through CSS injection in comments
XWiki vulnerable to click-jacking through CSS injection in comments
### Impact
It's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. All versions of XWiki are impacted by this kind of attack.
### Patches
The problem has been patched not by preventing injecting CSS in comments, which is currently a feature of XWiki, but by requiring confirmation from users when driving them to untrusted domains after clicking on a link, thus preventing any click-jacking attack.
This security measure has been put in place in XWiki 17.9.0, 17.4.6, 16.10.13.
### Workarounds
There's no out-of-the-box workaround, but it should be possible to partly reuse [the javascript code provided for the security measure](https://github.com/xwiki/xwiki
No detection rules found.
No public exploits indexed.
2026-02-12
Published