CVE-2026-26000: XWiki vulnerable to click-jacking through CSS injection in comments

February 12, 2026

It’s possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. All versions of XWiki are impacted by this kind of attack.

References

github.com/advisories/GHSA-74rh-c5rh-88vg
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/29cb81f3a5387cf822d7e7534bdd63903275f86b
github.com/xwiki/xwiki-platform/commit/7b5a4f8c34d9b1da3d966e17f7dbccabac448e75
github.com/xwiki/xwiki-platform/pull/4645
github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg
jira.xwiki.org/browse/XWIKI-23433
nvd.nist.gov/vuln/detail/CVE-2026-26000
www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.9.0RC1/Entry006

Code Behaviors & Features

Detect and mitigate CVE-2026-26000 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →