Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
AnalysisAI
Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts into non-script page elements through improper input neutralization. The vulnerability requires user interaction (UI:P) and has limited scope impact, affecting only the confidentiality and integrity of session data. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic cross-site scripting flaw where user-supplied input is not properly sanitized before being reflected in HTML output. The Cargo Extension for Mediawiki processes template arguments and page data; the vulnerability specifically targets non-script HTML elements, meaning the XSS payload is injected through element attributes or content rather than script tags. The CVSS 4.0 vector indicates this is a network-accessible vulnerability requiring prior authentication (PR:L) and user interaction to trigger, with impact limited to changing displayed content and session integrity within the affected scope.
RemediationAI
Vendor-released patch: Upgrade Mediawiki Cargo Extension to version 3.8.7 or later. The fix is available via the Wikimedia Gerrit repository (https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237966) and the associated task tracker (https://phabricator.wikimedia.org/T416368). Sites running self-hosted Mediawiki instances should update the Cargo Extension through their extension management system. No workarounds are documented; patching is the definitive mitigation. Administrators should also review user-created templates and stored data for any evidence of malicious injection prior to upgrading.
More in Mediawiki Cargo Extension
View allStored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows a
SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated databa
SQL injection in the Wikimedia Foundation's Cargo Extension for MediaWiki exposes all installations running versions pri
Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to in
Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissi
Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject m
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19929
GHSA-8m8x-w498-p4wx