Skip to main content

MediaWiki Cargo Extension CVE-2026-14363

| EUVDEUVD-2026-41127 MEDIUM
SQL Injection (CWE-89)
2026-07-01 wikimedia-foundation GHSA-cj99-hcr5-53g3
6.9
CVSS 4.0 · Vendor: wikimedia-foundation
Share

Severity by source

Vendor (wikimedia-foundation) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Network-reachable with no auth (PR:N); scope change justified as database is a separate component affected beyond the web application.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (wikimedia-foundation).

CVSS VectorVendor: wikimedia-foundation

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 21:02 EUVD
Analysis Generated
Jul 01, 2026 - 20:18 vuln.today

DescriptionCVE.org

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.

This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

AnalysisAI

SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated database read and write operations across all versions prior to 1.43.9, 1.44.6, and 1.45.4. The Cargo extension's core function - accepting user-supplied query parameters to construct database queries - makes this a structurally sensitive attack surface, as improper neutralization of SQL special elements allows crafted input to escape intended query boundaries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted HTTP request to Cargo query endpoint
Delivery
Inject SQL metacharacters into query parameter (where/join)
Exploit
Bypass input neutralization in Cargo SQL builder
Execution
Execute attacker-controlled SQL against wiki database
Impact
Extract or manipulate structured Cargo table data

Vulnerability AssessmentAI

Exploitation The MediaWiki Cargo extension must be installed and active on the target wiki. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) establishes this as remotely exploitable by unauthenticated attackers with no complexity barriers, which is the highest-risk exploitation profile for network services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP GET or POST request to a MediaWiki page that invokes a Cargo query parser function, injecting SQL metacharacters into a query parameter such as the 'where' or 'join on' clause. The injected SQL is passed unsanitized to the database engine, allowing the attacker to enumerate Cargo table schemas, extract structured wiki data, or manipulate records. …
Remediation Upgrade the Cargo extension to version 1.43.9, 1.44.6, or 1.45.4 depending on the MediaWiki branch in use - these are the vendor-confirmed fixed releases. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-14363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy