CVE-2026-26000 MEDIUM

CVE-2026-26000: XWiki Platform affected by click-jacking through CSS injection in comments

Vendor Xwiki
Product xwiki-platform
Weakness CWE-1021
Published February 12, 2026
Last update February 12, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.

Key dates

02Disclosure timeline

February 12, 2026 CVE published
February 12, 2026 Record updated