Skip to main content

Mediawiki Cargo Extension CVE-2026-39840

| EUVDEUVD-2026-19929 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 wikimedia-foundation GHSA-8m8x-w498-p4wx
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.8.7
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19929
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:35 nvd
MEDIUM 5.1

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts into non-script page elements through improper input neutralization. The vulnerability requires user interaction (UI:P) and has limited scope impact, affecting only the confidentiality and integrity of session data. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic cross-site scripting flaw where user-supplied input is not properly sanitized before being reflected in HTML output. The Cargo Extension for Mediawiki processes template arguments and page data; the vulnerability specifically targets non-script HTML elements, meaning the XSS payload is injected through element attributes or content rather than script tags. The CVSS 4.0 vector indicates this is a network-accessible vulnerability requiring prior authentication (PR:L) and user interaction to trigger, with impact limited to changing displayed content and session integrity within the affected scope.

RemediationAI

Vendor-released patch: Upgrade Mediawiki Cargo Extension to version 3.8.7 or later. The fix is available via the Wikimedia Gerrit repository (https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237966) and the associated task tracker (https://phabricator.wikimedia.org/T416368). Sites running self-hosted Mediawiki instances should update the Cargo Extension through their extension management system. No workarounds are documented; patching is the definitive mitigation. Administrators should also review user-created templates and stored data for any evidence of malicious injection prior to upgrading.

Share

CVE-2026-39840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy