Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
AnalysisAI
Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissions to inject malicious scripts via improper neutralization of HTML script tags, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers when stored content is viewed. The vulnerability requires user interaction (page view) and authenticated access but carries high scope impact on integrity and confidentiality through script injection in a collaborative wiki environment.
Technical ContextAI
The Cargo Extension for MediaWiki provides database querying and template functionality for wiki pages. The vulnerability stems from insufficient HTML sanitization (CWE-80: Improper Neutralization of Script-Related HTML Tags) in the extension's tag processing logic, allowing script-related HTML elements to bypass filtering and persist in the wiki database. Attackers with editing privileges (PR:L per CVSS vector) can embed malicious <script> tags or event handlers that execute when other users render pages containing the vulnerable Cargo template or query output. The root cause is inadequate input validation before storage and output encoding before rendering in the wiki environment where content trust is assumed for editors but not enforced at the HTML level.
RemediationAI
Vendor-released patch: Cargo Extension version 3.8.7 or later. Upgrade to the fixed version immediately via the MediaWiki extension management system or by pulling the latest code from the Wikimedia Gerrit repository (https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237973). For environments unable to immediately patch, restrict editor privileges to trusted users only and monitor wiki edit logs for suspicious script-containing edits. See https://phabricator.wikimedia.org/T416389 for technical details and patch confirmation.
More in Mediawiki Cargo Extension
View allStored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows a
SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated databa
SQL injection in the Wikimedia Foundation's Cargo Extension for MediaWiki exposes all installations running versions pri
Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to in
Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject m
Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19931