Skip to main content

Mediawiki Proofreadpage Extension CVE-2026-39838

| EUVDEUVD-2026-19889 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 wikimedia-foundation
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19889
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:17 nvd
MEDIUM 6.9

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.This issue affects .

AnalysisAI

Improper input neutralization in the Wikimedia MediaWiki ProofreadPage Extension allows cross-site scripting (XSS) attacks targeting non-script elements via unauthenticated remote requests. The vulnerability has a CVSS 4.0 base score of 6.9 with network-accessible attack vector and low integrity and confidentiality impact. No public exploit code or active exploitation (KEV status) is documented at time of analysis, though the low attack complexity and absence of privilege requirements make this a practical threat to deployed MediaWiki instances using this extension.

Technical ContextAI

The ProofreadPage Extension for Wikimedia MediaWiki fails to properly neutralize user-supplied input during dynamic web page generation, creating a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability. This class of flaw allows attackers to inject malicious scripts that execute in users' browsers without proper output encoding or content security mechanisms. The extension, deployed across MediaWiki installations to enable collaborative document proofreading workflows, processes user input without adequate sanitization before rendering it in HTML responses, enabling XSS payloads that target non-script DOM elements (such as event handlers on tags like img, svg, or iframe). The affected product is identified by CPE string cpe:2.3:a:wikimedia_foundation:mediawiki_-_proofreadpage_extension:*:*:*:*:*:*:*:*, indicating all versions of the extension are potentially impacted pending vendor patch confirmation.

RemediationAI

Patch available per vendor advisory. Organizations should update the ProofreadPage Extension to the latest patched version released by the Wikimedia Foundation, checking https://phabricator.wikimedia.org/T406088 for specific version numbers and release notes. As an interim mitigation before patching, administrators may consider disabling the ProofreadPage Extension on non-critical MediaWiki instances or restricting access to the affected functionality using authentication and authorization controls. Additionally, implementing Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting non-script elements, and reviewing Content Security Policy (CSP) headers on affected MediaWiki instances, can reduce exploitation risk until patches are applied. Regular monitoring of gerrit.wikimedia.org for extension updates is recommended for maintaining security in deployed MediaWiki environments.

Share

CVE-2026-39838 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy