Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS).This issue affects non release branches.
AnalysisAI
Cross-site scripting (XSS) in Wikimedia Foundation's MediaWiki GlobalWatchlist Extension enables unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers with critical impact across confidentiality, integrity, and availability (CVSS 10.0). This vulnerability affects only non-release development branches, not production deployments. No public exploit identified at time of analysis, though the publicly accessible Phabricator task and Gerrit code review may facilitate proof-of-concept development.
Technical ContextAI
The GlobalWatchlist Extension for MediaWiki fails to properly sanitize user-controlled input before rendering it in web pages, creating a stored or reflected XSS condition classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). MediaWiki extensions handle user input through PHP-based rendering pipelines that generate HTML output. When input validation or output encoding is insufficient, attackers can inject malicious JavaScript that executes in the security context of the MediaWiki application. The affected component is identified as cpe:2.3:a:the_wikimedia_foundation:mediawiki_-_globalwatchlist_extension:*:*:*:*:*:*:*:*, though this CPE lacks specific version boundaries. The Gerrit code review reference (I1fc7b7e1d234b0aaf9f7d782a65da1451577587e) points to the specific code change addressing the input neutralization failure, while Phabricator task T418179 provides the vulnerability discovery context.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed. The Gerrit code review at https://gerrit.wikimedia.org/r/q/I1fc7b7e1d234b0aaf9f7d782a65da1451577587e contains the remediation commit implementing proper input sanitization. Organizations tracking non-release branches should merge change-id I1fc7b7e1d234b0aaf9f7d782a65da1451577587e into their development environments immediately. Production deployments using released extension versions require no action as they were never vulnerable. For development environments that cannot immediately update, temporary workarounds include restricting network access to development MediaWiki instances to trusted IP ranges only, implementing web application firewall rules to block common XSS payloads in requests to GlobalWatchlist endpoints, or temporarily disabling the GlobalWatchlist Extension until the fix is integrated. Monitor the Phabricator task T418179 for additional vendor guidance and confirmation of the fix's inclusion in future stable releases.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19976
GHSA-333p-mjpr-3q3c