Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with no auth (PR:N); scope change justified as database is a separate component affected beyond the web application.
Primary rating from Vendor (wikimedia-foundation).
CVSS VectorVendor: wikimedia-foundation
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.
This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.
AnalysisAI
SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated database read and write operations across all versions prior to 1.43.9, 1.44.6, and 1.45.4. The Cargo extension's core function - accepting user-supplied query parameters to construct database queries - makes this a structurally sensitive attack surface, as improper neutralization of SQL special elements allows crafted input to escape intended query boundaries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The MediaWiki Cargo extension must be installed and active on the target wiki. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) establishes this as remotely exploitable by unauthenticated attackers with no complexity barriers, which is the highest-risk exploitation profile for network services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP GET or POST request to a MediaWiki page that invokes a Cargo query parser function, injecting SQL metacharacters into a query parameter such as the 'where' or 'join on' clause. The injected SQL is passed unsanitized to the database engine, allowing the attacker to enumerate Cargo table schemas, extract structured wiki data, or manipulate records. … |
| Remediation | Upgrade the Cargo extension to version 1.43.9, 1.44.6, or 1.45.4 depending on the MediaWiki branch in use - these are the vendor-confirmed fixed releases. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mediawiki Cargo Extension
View allStored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows a
SQL injection in the Wikimedia Foundation's Cargo Extension for MediaWiki exposes all installations running versions pri
Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to in
Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissi
Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject m
Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to
Same weakness CWE-89 – SQL Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41127
GHSA-cj99-hcr5-53g3