What is CVE-2026-26000?

### Impact It's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. All versions of XWiki are impacted by this kind of attack. ### Patches The problem has been patched not by preventing injecting CSS in comments, which is currently a feature of XWiki, but by requiring confirmation from users when driving them to untrusted domains after clicking on a link, thus preventing any click-jacking attack. This security measure has been put in place in XWiki 17.9.0, 17.4.6, 16.10.13. ### Workarounds There's no out-of-the-box workaround, but it should be possible to partly reuse [the javascript code provided for the security measure](https://github.com/xwiki/xwiki-platform/blob/xwiki-platform-17.9.0/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-war/src/main/webapp/resources/uicomponents/link/link-protection.js) in a JSX object inside the wiki, to request the same kind of confirmation. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-23433 * Documentation of the new security measure: https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.9.0RC1/Entry006/ * Commit for the security fix: https://github.com/xwiki/xwiki-platform/commit/29cb81f3a5387cf822d7e7534bdd63903275f86b ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution Thanks Tomas Keech (Sentrium Security Ltd) for reporting this vulnerability.

What is the severity of CVE-2026-26000?

CVE-2026-26000 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-26000?

No known public exploits are currently available for CVE-2026-26000.

Is there a patch available for CVE-2026-26000?

Yes, patches are available for CVE-2026-26000. Check the vendor advisories for update instructions.

CVE-2026-26000 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

It's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. All versions of XWiki are impacted by this kind of attack.

Patches

The problem has been patched not by preventing injecting CSS in comments, which is currently a feature of XWiki, but by requiring confirmation from users when driving them to untrusted domains after clicking on a link, thus preventing any click-jacking attack. This security measure has been put in place in XWiki 17.9.0, 17.4.6, 16.10.13.

Workarounds

There's no out-of-the-box workaround, but it should be possible to partly reuse the javascript code provided for the security measure in a JSX object inside the wiki, to request the same kind of confirmation.

References

JIRA ticket: https://jira.xwiki.org/browse/XWIKI-23433
Documentation of the new security measure: https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.9.0RC1/Entry006/
Commit for the security fix: https://github.com/xwiki/xwiki-platform/commit/29cb81f3a5387cf822d7e7534bdd63903275f86b

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

Thanks Tomas Keech (Sentrium Security Ltd) for reporting this vulnerability.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com Github.com