XWiki Platform Vulnerability - CSS Injection Risk in Malicious Comments
CVE-2026-26000

5.3MEDIUM

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 12 February 2026

What is CVE-2026-26000?

The XWiki Platform, a versatile wiki solution, is susceptible to a CSS injection vulnerability through comments. This flaw, found in versions before 17.9.0, 17.4.6, and 16.10.13, enables attackers to manipulate the platform's CSS. Consequently, this could lead to the entire wiki being transformed into a deceptive link area, potentially redirecting users to harmful external websites. The issue has been rectified in the indicated versions, reinforcing the importance of timely updates and security awareness in web applications.

Affected Version(s)

xwiki-platform >= 17.5.0, < 17.9.0 < 17.5.0, 17.9.0

xwiki-platform >= 17.0.0-rc-1, < 17.4.6 < 17.0.0-rc-1, 17.4.6

xwiki-platform < 16.10.13 < 16.10.13

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/releases/tag/xwik...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2026
Vulnerability Reserved
Feb 9, 2026

CVE-2026-26000 Data

JSON

Xwiki

What is CVE-2026-26000?

Affected Version(s)

References

CVSS V4

Timeline