Skip to main content

MediaWiki Charts Extension CVE-2026-14358

| EUVDEUVD-2026-41118 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 wikimedia-foundation GHSA-f5m8-q8gq-mjpw
6.9
CVSS 4.0 · Vendor: wikimedia-foundation
Share

Severity by source

Vendor (wikimedia-foundation) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-reachable XSS with no privileges required; UI:R used in CVSS 3.1 as victim page rendering constitutes user interaction; scope changes to victim browser context with low C/I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (wikimedia-foundation).

CVSS VectorVendor: wikimedia-foundation

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 20:02 EUVD
Analysis Generated
Jul 01, 2026 - 19:36 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting (XSS).

This issue affects Mediawiki - Charts Extension: from * before 1.43.9,1.44.6,1.45.4.

AnalysisAI

Cross-site scripting in the Wikimedia Foundation's MediaWiki Charts Extension allows network-accessible, unauthenticated attackers to inject malicious JavaScript into wiki pages that render chart content. All installations running the Charts Extension across the 1.43.x, 1.44.x, and 1.45.x branches prior to fixed releases 1.43.9, 1.44.6, and 1.45.4 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access MediaWiki instance with Charts Extension enabled
Delivery
Submit crafted chart payload containing injected JavaScript (no authentication required)
Exploit
Payload stored or processed without output sanitization
Execution
Victim browses wiki page rendering the malicious chart
Persist
Attacker JavaScript executes in victim browser session context
Impact
Session token or authenticated actions exfiltrated

Vulnerability AssessmentAI

Exploitation The MediaWiki Charts Extension must be installed and enabled on the target MediaWiki instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) presents several high-concern signals simultaneously: network-reachable, low complexity, no attacker privileges required, and no user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a crafted chart definition containing embedded JavaScript to a publicly editable MediaWiki instance with the Charts Extension active. The malicious payload is stored or processed without sanitization, and when any user - including administrators - browses a page that renders the poisoned chart, the attacker's script executes in their browser, enabling session token theft, credential harvesting, or unauthorized wiki actions on behalf of the victim. …
Remediation Operators should upgrade the MediaWiki Charts Extension to the fixed releases corresponding to their active MediaWiki branch: 1.43.9, 1.44.6, or 1.45.4. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy