CVE-2026-26000
Undergoing Analysis Undergoing Analysis - In Progress
CSS Injection in XWiki Comments Enables Malicious Link Redirection

Publication date: 2026-02-12

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26000
EUVD
EUVD-2026-6694
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
xwiki xwiki to 16.10.13 (exc)
xwiki xwiki From 17.0.0 (inc) to 17.4.6 (exc)
xwiki xwiki From 17.5.0 (inc) to 17.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1021 The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26000 is a moderate severity vulnerability affecting XWiki Platform versions prior to 17.9.0, 17.4.6, and 16.10.13. It involves an attacker injecting CSS code via comments to transform the entire wiki interface into a clickable link area that redirects users to malicious external pages.

This happens because XWiki allows CSS injection in comments as a feature, which can be exploited to overlay UI elements and mislead users into clicking unintended links. The underlying issue is an improper restriction of rendered UI layers, causing user confusion about the interface they interact with.

The attack requires no privileges and is network-based with low complexity, but it does require user interaction (clicking the malicious link). The vulnerability was fixed by implementing a security measure that requires user confirmation before navigating to untrusted external domains.

Impact Analysis

This vulnerability can cause users of the XWiki platform to be tricked into clicking on links that appear to be part of the wiki interface but actually redirect to malicious external websites.

The impact on confidentiality, integrity, and availability of the system is low, and there is no direct system compromise or data loss. However, users may be exposed to phishing or other social engineering attacks due to the misleading clickable area.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves CSS injection via comments in the XWiki platform, which transforms the wiki interface into a clickable link area leading to malicious pages. Detection involves inspecting comments for injected CSS that overlays UI elements.

Since the vulnerability is related to CSS injection in comments, you can detect suspicious activity by searching for CSS code or unusual style tags within comments in the XWiki database or exported content.

No specific out-of-the-box detection commands are provided, but general approaches include:

  • Query the XWiki database or exported wiki pages for comments containing CSS style tags or suspicious CSS code.
  • Use web application scanning tools to detect click-jacking or CSS injection vulnerabilities on the wiki interface.
  • Monitor network traffic for unusual redirects or user interactions leading to external domains after clicking on wiki links.
Mitigation Strategies

The vulnerability is fixed in XWiki versions 17.9.0, 17.4.6, and 16.10.13. The primary mitigation step is to upgrade your XWiki platform to one of these fixed versions or later.

If immediate upgrade is not possible, partial mitigation can be achieved by implementing JavaScript confirmation prompts before navigation to untrusted external domains. This prevents automatic redirection without user consent.

No out-of-the-box workaround exists, so applying the official patch or upgrade is strongly recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26000. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart