CVE-2026-26000

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 17.9.0 XWiki Platform versions prior to 17.4.6 XWiki Platform versions prior to 16.10.13

Description The XWiki Platform, a generic wiki platform, is affected by a UI redressing issue, specifically a clickjacking attack. This allows unauthenticated attackers to hijack user clicks through CSS injection within comments. By overlaying invisible anchor elements, an attacker can redirect users to malicious pages. The issue stems from improper restriction of visual layers within the user interface. The vulnerability allows for CSS injection using the comment functionality.

Recommendations Update to XWiki Platform version 17.9.0 or later. Update to XWiki Platform version 17.4.6 or later. Update to XWiki Platform version 16.10.13 or later.