Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
AnalysisAI
Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts via improper neutralization of HTML tags, enabling persistent client-side attacks against other users viewing affected content. The vulnerability requires user interaction (page view) but grants attackers the ability to modify page content and session information for victims, with CVSS 6.3 reflecting medium severity and EPSS exploitation probability not independently confirmed from available data.
Technical ContextAI
The vulnerability stems from inadequate input sanitization in the Cargo Extension for Mediawiki, a popular content organization system built on the Mediawiki platform. CWE-80 (Improper Neutralization of Script-Related HTML Tags) indicates the root cause: the extension fails to properly escape or filter HTML script tags and related constructs when processing user-supplied data, allowing attackers to inject arbitrary JavaScript that executes in the context of other users' browsers. This is a classic stored XSS vulnerability where malicious payloads persist in the application's data store (likely template or page content) and are served to subsequent viewers without proper output encoding. The affected product is Mediawiki Cargo Extension (CPE: cpe:2.3:a:wikimedia_foundation:mediawiki_-_cargo_extension:*:*:*:*:*:*:*:*), which is a widely-used extension for structured data management in Mediawiki installations.
RemediationAI
Vendors and site administrators must upgrade the Mediawiki Cargo Extension to version 3.8.7 or later to remediate the vulnerability. The upstream fix is documented in Gerrit commit https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237979 and referenced in the Wikimedia Phabricator task https://phabricator.wikimedia.org/T416402. Administrators managing Mediawiki installations should prioritize upgrading the Cargo Extension as part of their patch management process. No workarounds are documented; upgrade is the primary remediation path. Sites that cannot immediately upgrade should restrict access to the Cargo Extension to trusted administrators only and monitor for suspicious content modifications or injected scripts in pages using the extension.
More in Mediawiki Cargo Extension
View allStored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows a
SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated databa
SQL injection in the Wikimedia Foundation's Cargo Extension for MediaWiki exposes all installations running versions pri
Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissi
Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject m
Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19927
GHSA-6m53-gpj2-w66j