Skip to main content

Mediawiki Cargo Extension CVE-2026-39839

| EUVDEUVD-2026-19891 MEDIUM
Basic XSS (CWE-80)
2026-04-07 wikimedia-foundation GHSA-r77j-8275-g6jm
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.8.7
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19891
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:29 nvd
MEDIUM 6.3

DescriptionCVE.org

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

AnalysisAI

Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject malicious scripts via improper HTML tag neutralization, affecting all installations of the extension using vulnerable versions. The vulnerability requires user interaction (page view) to trigger, and impacts script integrity and site integrity for affected wiki installations. No public exploit code or active exploitation has been reported at the time of analysis.

Technical ContextAI

The Cargo Extension for MediaWiki is a data management and querying system that extends wiki functionality. The vulnerability stems from CWE-80 (Improper Neutralization of Script-Related HTML Tags), indicating the extension fails to properly sanitize or escape HTML input containing script tags before storing and rendering user-supplied content. This is a classic stored XSS flaw where malicious payloads are persisted in the wiki database and executed in the browsers of subsequent users who view affected pages. The CVSS 4.0 vector (AV:N/AC:L/PR:L/UI:P) confirms network-accessible attack surface, low complexity, authenticated attacker requirement (PR:L), and user interaction dependency (UI:P), suggesting the attack occurs through normal wiki editing workflows where an authenticated editor inserts malicious HTML/script into wiki content managed by Cargo.

RemediationAI

Upgrade Mediawiki Cargo Extension to version 3.8.7 or later immediately. The upstream fix is available via two commits in the Wikimedia Gerrit repository: commit 1237957 and commit 1237977 (referenced at gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237957 and gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237977). Wiki administrators should update their extension via standard MediaWiki extension management tools or by pulling the latest code from the Wikimedia Git repository. No known workarounds exist for versions prior to 3.8.7; patching is the primary remediation path. Verify the upgrade through the special pages interface or extension version reporting in MediaWiki administration panels.

Share

CVE-2026-39839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy