XWiki Platform Vulnerability - CSS Injection Risk in Malicious Comments
CVE-2026-26000

5.3MEDIUM

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 12 February 2026

What is CVE-2026-26000?

The XWiki Platform, a versatile wiki solution, is susceptible to a CSS injection vulnerability through comments. This flaw, found in versions before 17.9.0, 17.4.6, and 16.10.13, enables attackers to manipulate the platform's CSS. Consequently, this could lead to the entire wiki being transformed into a deceptive link area, potentially redirecting users to harmful external websites. The issue has been rectified in the indicated versions, reinforcing the importance of timely updates and security awareness in web applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

xwiki-platform >= 17.5.0, < 17.9.0 < 17.5.0, 17.9.0

xwiki-platform >= 17.0.0-rc-1, < 17.4.6 < 17.0.0-rc-1, 17.4.6

xwiki-platform < 16.10.13 < 16.10.13

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/releases/tag/xwik...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Feb 12, 2026
Vulnerability Reserved
Feb 9, 2026

JSON

Xwiki