Skip to main content

Mediawiki Cargo Extension CVE-2026-39841

| EUVDEUVD-2026-19931 MEDIUM
Basic XSS (CWE-80)
2026-04-07 wikimedia-foundation
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.8.7
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19931
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:43 nvd
MEDIUM 6.3

DescriptionCVE.org

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

AnalysisAI

Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissions to inject malicious scripts via improper neutralization of HTML script tags, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers when stored content is viewed. The vulnerability requires user interaction (page view) and authenticated access but carries high scope impact on integrity and confidentiality through script injection in a collaborative wiki environment.

Technical ContextAI

The Cargo Extension for MediaWiki provides database querying and template functionality for wiki pages. The vulnerability stems from insufficient HTML sanitization (CWE-80: Improper Neutralization of Script-Related HTML Tags) in the extension's tag processing logic, allowing script-related HTML elements to bypass filtering and persist in the wiki database. Attackers with editing privileges (PR:L per CVSS vector) can embed malicious <script> tags or event handlers that execute when other users render pages containing the vulnerable Cargo template or query output. The root cause is inadequate input validation before storage and output encoding before rendering in the wiki environment where content trust is assumed for editors but not enforced at the HTML level.

RemediationAI

Vendor-released patch: Cargo Extension version 3.8.7 or later. Upgrade to the fixed version immediately via the MediaWiki extension management system or by pulling the latest code from the Wikimedia Gerrit repository (https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237973). For environments unable to immediately patch, restrict editor privileges to trusted users only and monitor wiki edit logs for suspicious script-containing edits. See https://phabricator.wikimedia.org/T416389 for technical details and patch confirmation.

Share

CVE-2026-39841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy