CVE-2026-26000: The Invisible Minefield: Weaponizing CSS in XWiki Comments

# security# cve# cybersecurity
CVE-2026-26000: The Invisible Minefield: Weaponizing CSS in XWiki CommentsCVE Reports

The Invisible Minefield: Weaponizing CSS in XWiki Comments Vulnerability ID:...

The Invisible Minefield: Weaponizing CSS in XWiki Comments

Vulnerability ID: CVE-2026-26000
CVSS Score: 5.3
Published: 2026-02-12

A UI redressing vulnerability (Clickjacking) in XWiki Platform allows unauthenticated attackers to hijack user clicks via CSS injection in comments. By overlaying invisible anchors on the interface, attackers can silently redirect users to malicious domains, turning a trusted wiki into a phishing launchpad.

TL;DR

XWiki allowed users to inject raw CSS in comments without adequate scoping. Attackers can use this to create a page-wide, invisible link (position: fixed; width: 100vw;) that sits on top of the UI. Clicking anywhere on the wiki triggers a redirect to an attacker-controlled site. The fix involves a JavaScript interceptor that prompts users before leaving the domain.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1021
  • Attack Vector: Network (CSS Injection)
  • CVSS v4.0: 5.3 (Medium)
  • Privileges Required: None
  • User Interaction: Passive (Click required)
  • Exploit Status: PoC Available

Affected Systems

  • XWiki Platform
  • XWiki Platform: < 16.10.13 (Fixed in: 16.10.13)
  • XWiki Platform: >= 17.0.0-rc-1, < 17.4.6 (Fixed in: 17.4.6)
  • XWiki Platform: >= 17.5.0, < 17.9.0 (Fixed in: 17.9.0)

Code Analysis

Commit: 29cb81f

Implementation of Frontend Link Protection infrastructure

Added link-protection.js and trusted-domains-configuration
Enter fullscreen mode Exit fullscreen mode

Commit: 7b5a4f8

Refinement of link interception logic

Enhanced URL verification logic
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade to the latest patched version immediately.
  • Configure xwiki.properties to enforce strict frontend URL checking.
  • Audit existing comments for CSS blocks containing position: fixed.

Remediation Steps:

  1. For versions < 16.10.13, upgrade to 16.10.13.
  2. For versions 17.0.0-rc-1 to 17.4.5, upgrade to 17.4.6.
  3. For versions 17.5.0 to 17.8.x, upgrade to 17.9.0.
  4. Verify the fix by checking if link-protection.js is loaded in the browser developer tools.
  5. Add url.frontendUrlCheckEnabled=true to your xwiki.properties file.

References

Read the full report for CVE-2026-26000 on our website for more details including interactive diagrams and full exploit analysis.