CVE-2026-26000
XWiki vulnerable to click-jacking through CSS injection in comments
Description
### Impact It's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. All versions of XWiki are impacted by this kind of attack. ### Patches The problem has been patched not by preventing injecting CSS in comments, which is currently a feature of XWiki, but by requiring confirmation from users when driving them to untrusted domains after clicking on a link, thus preventing any click-jacking attack. This security measure has been put in place in XWiki 17.9.0, 17.4.6, 16.10.13. ### Workarounds There's no out-of-the-box workaround, but it should be possible to partly reuse [the javascript code provided for the security measure](https://github.com/xwiki/xwiki-platform/blob/xwiki-platform-17.9.0/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-war/src/main/webapp/resources/uicomponents/link/link-protection.js) in a JSX object inside the wiki, to request the same kind of confirmation. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-23433 * Documentation of the new security measure: https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.9.0RC1/Entry006/ * Commit for the security fix: https://github.com/xwiki/xwiki-platform/commit/29cb81f3a5387cf822d7e7534bdd63903275f86b ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected]) ### Attribution Thanks Tomas Keech (Sentrium Security Ltd) for reporting this vulnerability.
How to fix CVE-2026-26000
To remediate CVE-2026-26000, upgrade the affected package to a fixed version below.
- —upgrade to 17.9.0 or later
Is CVE-2026-26000 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.