GHSA-74rh-c5rh-88vg

Source

https://github.com/advisories/GHSA-74rh-c5rh-88vg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-74rh-c5rh-88vg/GHSA-74rh-c5rh-88vg.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-74rh-c5rh-88vg

Aliases

CVE-2026-26000

Published

2026-02-12T15:54:19Z

Modified

2026-02-12T22:19:17.617580Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

XWiki vulnerable to click-jacking through CSS injection in comments

Details

Impact

It's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. All versions of XWiki are impacted by this kind of attack.

Patches

The problem has been patched not by preventing injecting CSS in comments, which is currently a feature of XWiki, but by requiring confirmation from users when driving them to untrusted domains after clicking on a link, thus preventing any click-jacking attack. This security measure has been put in place in XWiki 17.9.0, 17.4.6, 16.10.13.

Workarounds

There's no out-of-the-box workaround, but it should be possible to partly reuse the javascript code provided for the security measure in a JSX object inside the wiki, to request the same kind of confirmation.

References

JIRA ticket: https://jira.xwiki.org/browse/XWIKI-23433
Documentation of the new security measure: https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.9.0RC1/Entry006/
Commit for the security fix: https://github.com/xwiki/xwiki-platform/commit/29cb81f3a5387cf822d7e7534bdd63903275f86b

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

Thanks Tomas Keech (Sentrium Security Ltd) for reporting this vulnerability.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-02-12T21:16:02Z",
    "cwe_ids": [
        "CWE-1021"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2026-02-12T15:54:19Z"
}

References

Affected packages

Maven

org.xwiki.platform:xwiki-platform-web

Package

Name: org.xwiki.platform:xwiki-platform-web; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.5.0

Fixed

17.9.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-74rh-c5rh-88vg/GHSA-74rh-c5rh-88vg.json"

org.xwiki.platform:xwiki-platform-web

Package

Name: org.xwiki.platform:xwiki-platform-web; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.0.0-rc-1

Fixed

17.4.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-74rh-c5rh-88vg/GHSA-74rh-c5rh-88vg.json"

org.xwiki.platform:xwiki-platform-web

Package

Name: org.xwiki.platform:xwiki-platform-web; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.10.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-74rh-c5rh-88vg/GHSA-74rh-c5rh-88vg.json"