CVE-2026-26000
📋 TL;DR
This vulnerability in XWiki Platform allows attackers to inject malicious CSS through comments, which can transform the entire wiki interface into a clickable area redirecting users to malicious websites. It affects all XWiki installations running versions before 17.9.0, 17.4.6, and 16.10.13. Any user who can post comments (including unauthenticated users if comment posting is enabled) can potentially exploit this vulnerability.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Entire wiki interface becomes a malicious link area, redirecting all users to phishing/malware sites, potentially leading to credential theft, malware installation, or further compromise of user systems.
Likely Case
Attackers create deceptive clickable areas that redirect users to malicious sites, potentially stealing credentials or delivering malware through social engineering.
If Mitigated
With proper input validation and output encoding, the CSS injection would be neutralized, preventing the interface manipulation.
🎯 Exploit Status
Exploitation requires ability to post comments; complexity is medium due to CSS injection requirements.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.9.0, 17.4.6, or 16.10.13
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg
Restart Required: No
Instructions:
1. Backup your XWiki installation. 2. Upgrade to version 17.9.0, 17.4.6, or 16.10.13. 3. Verify the upgrade completed successfully. 4. Test comment functionality.
🔧 Temporary Workarounds
Disable comment posting
allTemporarily disable the ability for users to post comments to prevent exploitation.
Modify XWiki configuration to restrict comment permissions
Implement input filtering
allAdd custom input validation to sanitize CSS content in comments.
Implement custom XWiki extension to filter CSS in comments
🧯 If You Can't Patch
- Disable comment functionality entirely for all users
- Implement web application firewall rules to block CSS injection patterns in comments
🔍 How to Verify
Check if Vulnerable:
Check XWiki version in administration panel; if version is below 17.9.0, 17.4.6, or 16.10.13, system is vulnerable.Check Version:
Check XWiki administration dashboard or view xwiki.properties fileVerify Fix Applied:
After patching, verify version shows 17.9.0, 17.4.6, or 16.10.13 or higher in administration panel.📡 Detection & Monitoring
Log Indicators:
- Unusual CSS patterns in comment submissions
- Multiple comment submissions with CSS content
Network Indicators:
- Unexpected redirects from wiki pages
- Requests to suspicious domains from wiki interface
SIEM Query:
source="xwiki" AND (message="*css*" OR message="*comment*" OR message="*inject*")