Skip to main content

Mediawiki Cargo Extension CVE-2026-39837

| EUVDEUVD-2026-19927 MEDIUM
Basic XSS (CWE-80)
2026-04-07 wikimedia-foundation GHSA-6m53-gpj2-w66j
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.8.7
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19927
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:47 nvd
MEDIUM 6.3

DescriptionCVE.org

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

AnalysisAI

Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts via improper neutralization of HTML tags, enabling persistent client-side attacks against other users viewing affected content. The vulnerability requires user interaction (page view) but grants attackers the ability to modify page content and session information for victims, with CVSS 6.3 reflecting medium severity and EPSS exploitation probability not independently confirmed from available data.

Technical ContextAI

The vulnerability stems from inadequate input sanitization in the Cargo Extension for Mediawiki, a popular content organization system built on the Mediawiki platform. CWE-80 (Improper Neutralization of Script-Related HTML Tags) indicates the root cause: the extension fails to properly escape or filter HTML script tags and related constructs when processing user-supplied data, allowing attackers to inject arbitrary JavaScript that executes in the context of other users' browsers. This is a classic stored XSS vulnerability where malicious payloads persist in the application's data store (likely template or page content) and are served to subsequent viewers without proper output encoding. The affected product is Mediawiki Cargo Extension (CPE: cpe:2.3:a:wikimedia_foundation:mediawiki_-_cargo_extension:*:*:*:*:*:*:*:*), which is a widely-used extension for structured data management in Mediawiki installations.

RemediationAI

Vendors and site administrators must upgrade the Mediawiki Cargo Extension to version 3.8.7 or later to remediate the vulnerability. The upstream fix is documented in Gerrit commit https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237979 and referenced in the Wikimedia Phabricator task https://phabricator.wikimedia.org/T416402. Administrators managing Mediawiki installations should prioritize upgrading the Cargo Extension as part of their patch management process. No workarounds are documented; upgrade is the primary remediation path. Sites that cannot immediately upgrade should restrict access to the Cargo Extension to trusted administrators only and monitor for suspicious content modifications or injected scripts in pages using the extension.

Share

CVE-2026-39837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy