CVE-2026-26000

MEDIUM EPSS 19.6%
Published Feb 12, 20264mo ago · Modified Feb 19, 20264mo ago
5.3 CVSS 4.0
Medium
Find Similar
Published Feb 12, 2026 4mo ago
Last Modified Feb 19, 2026 4mo ago

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
19.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-1021

Affected Products 3

VendorProductVersionRange
xwikixwiki* <16.10.13
xwikixwiki*≥17.0.0  –  <17.4.6
xwikixwiki*≥17.5.0  –  <17.9.0

References 2

  • github.com https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.6
    ProductRelease Notes
  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg
    PatchVendor Advisory

Remediation

  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-74rh-c5rh-88vg
    PatchVendor Advisory