CVE-2026-26000 is a vulnerability in the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications. The flaw exists in versions prior to 17.9.0, 17.4.6, and 16.10.13, where an attacker can inject malicious CSS code through the comments feature. This CSS injection manipulates the rendered UI layers, effectively transforming the entire wiki interface into a large clickable link that redirects users to an attacker-controlled malicious webpage. The root cause is improper restriction of rendered UI layers or frames, classified under CWE-1021. The vulnerability does not require any privileges or authentication to exploit, but it does require user interaction, as users must view or interact with the manipulated wiki page to be redirected. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, but user interaction needed, and limited impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the attack vector enables phishing and social engineering by leveraging trusted wiki content to lure users to malicious sites. The vulnerability is fixed in versions 17.9.0, 17.4.6, and 16.10.13. Organizations running affected versions should upgrade promptly to mitigate risk.

For European organizations, this vulnerability can facilitate phishing attacks and social engineering by turning trusted internal or public wiki pages into malicious redirectors. This can lead to credential theft, malware delivery, or unauthorized access if users are redirected to attacker-controlled sites. The impact on confidentiality, integrity, and availability is limited directly, but the indirect consequences through user deception can be significant. Organizations relying on XWiki for documentation, collaboration, or knowledge management—especially in sectors like government, education, and enterprises—may face reputational damage and operational disruption if exploited. The vulnerability's ease of exploitation without authentication increases risk, especially in environments where user awareness is low or where wiki content is widely accessible. Since no known exploits are currently active, proactive patching can prevent potential attacks.

1. Upgrade all affected XWiki Platform instances to versions 17.9.0, 17.4.6, or 16.10.13 or later, where the vulnerability is patched. 2. Implement strict input validation and sanitization on comment fields to prevent CSS or other code injection, using a whitelist approach for allowed content. 3. Employ Content Security Policy (CSP) headers to restrict the execution of injected styles or scripts and limit the domains to which users can be redirected. 4. Educate users about the risks of clicking unexpected links within internal wiki pages and encourage verification of URLs before interaction. 5. Monitor wiki logs for unusual comment submissions or sudden changes in UI behavior that could indicate attempted exploitation. 6. Consider disabling or restricting comment functionality if not essential, or limit comment posting permissions to trusted users. 7. Regularly audit and update third-party components and dependencies to reduce exposure to similar vulnerabilities.