Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
Published: 2026-02-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Click‑jacking via CSS injection in comments
Action: Immediate Patch
AI Analysis

Impact

XWiki Platform allows end‑users to add comments that are stored and rendered as part of the wiki page. An attacker can insert CSS rules into a comment, causing the entire page layout to shift and redirect users to a malicious target when they click on content. The vulnerability is a typical case of CSS injection (CWE‑1021), leading to click‑jacking that can result in phishing, credential theft, or unintended navigation for any user who views the affected page.

Affected Systems

All installations of XWiki Platform running versions prior to 17.9.0, 17.4.6, or 16.10.13 are impacted. The issue originates in the comment rendering engine which does not sanitize CSS payloads. Administrators should verify the product version and upgrade if necessary, or disable the ability to embed CSS within comments if an upgrade is not immediately possible.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate level of risk, while the EPSS value of less than 1% points to a low likelihood of widespread exploitation. The vulnerability does not appear in the CISA KEV catalog. Exploitation requires an attacker to post a malicious comment that targets a user who later views the page, which is a likely vector in environments where user comments are publicly accessible. Once triggered, the attack can mislead users into clicking on non‑existent links or deceptive navigation flows, compromising confidentiality of user intent and possibly integrity if additional payloads are used.

Generated by OpenCVE AI on April 17, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update XWiki Platform to version 17.9.0, 17.4.6, or 16.10.13 to apply the vendor‑issued CSS injection fix.
  • Configure comment handling to disallow or sanitize inline CSS, ensuring that only safe styles are permitted in user‑generated content.
  • Audit existing comments for injected CSS and remove any malicious payloads; consider applying a temporary block on new comments while remediation is underway.

Generated by OpenCVE AI on April 17, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-74rh-c5rh-88vg XWiki vulnerable to click-jacking through CSS injection in comments
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki xwiki
CPEs cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Vendors & Products Xwiki xwiki
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki
Xwiki xwiki-platform
Vendors & Products Xwiki
Xwiki xwiki-platform

Thu, 12 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
Title XWiki Platform affected by click-jacking through CSS injection in comments
Weaknesses CWE-1021
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Xwiki Xwiki Xwiki-platform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T20:54:45.754Z

Reserved: 2026-02-09T17:41:55.859Z

Link: CVE-2026-26000

cve-icon Vulnrichment

Updated: 2026-02-12T20:54:22.760Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T21:16:02.990

Modified: 2026-02-19T19:22:44.910

Link: CVE-2026-26000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses