CVE-2026-26000
CSS Injection in XWiki Comments Enables Malicious Link Redirection
Publication date: 2026-02-12
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | to 16.10.13 (exc) |
| xwiki | xwiki | From 17.0.0 (inc) to 17.4.6 (exc) |
| xwiki | xwiki | From 17.5.0 (inc) to 17.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1021 | The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26000 is a moderate severity vulnerability affecting XWiki Platform versions prior to 17.9.0, 17.4.6, and 16.10.13. It involves an attacker injecting CSS code via comments to transform the entire wiki interface into a clickable link area that redirects users to malicious external pages.
This happens because XWiki allows CSS injection in comments as a feature, which can be exploited to overlay UI elements and mislead users into clicking unintended links. The underlying issue is an improper restriction of rendered UI layers, causing user confusion about the interface they interact with.
The attack requires no privileges and is network-based with low complexity, but it does require user interaction (clicking the malicious link). The vulnerability was fixed by implementing a security measure that requires user confirmation before navigating to untrusted external domains.
How can this vulnerability impact me? :
This vulnerability can cause users of the XWiki platform to be tricked into clicking on links that appear to be part of the wiki interface but actually redirect to malicious external websites.
The impact on confidentiality, integrity, and availability of the system is low, and there is no direct system compromise or data loss. However, users may be exposed to phishing or other social engineering attacks due to the misleading clickable area.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves CSS injection via comments in the XWiki platform, which transforms the wiki interface into a clickable link area leading to malicious pages. Detection involves inspecting comments for injected CSS that overlays UI elements.
Since the vulnerability is related to CSS injection in comments, you can detect suspicious activity by searching for CSS code or unusual style tags within comments in the XWiki database or exported content.
No specific out-of-the-box detection commands are provided, but general approaches include:
- Query the XWiki database or exported wiki pages for comments containing CSS style tags or suspicious CSS code.
- Use web application scanning tools to detect click-jacking or CSS injection vulnerabilities on the wiki interface.
- Monitor network traffic for unusual redirects or user interactions leading to external domains after clicking on wiki links.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in XWiki versions 17.9.0, 17.4.6, and 16.10.13. The primary mitigation step is to upgrade your XWiki platform to one of these fixed versions or later.
If immediate upgrade is not possible, partial mitigation can be achieved by implementing JavaScript confirmation prompts before navigation to untrusted external domains. This prevents automatic redirection without user consent.
No out-of-the-box workaround exists, so applying the official patch or upgrade is strongly recommended.