XWiki is vulnerable to Cross-Site Scripting (XSS) attacks. The library does not properly check for dangerous attribute values in HTML rendering before it output to the front end, allowing an attacker to inject and execute malicious JavaScript on victim’s browser.