If you can get a user to click a link which exposes CSS injection, it can be a security issue. For instance, you could change the text of links and buttons, and otherwise trick the user into doing something that s/he wouldn't otherwise.