Skip to main content

Mediawiki Globalwatchlist Extension CVE-2026-39933

| EUVDEUVD-2026-19976 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 wikimedia-foundation GHSA-333p-mjpr-3q3c
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 22:16 euvd
EUVD-2026-19976
Analysis Generated
Apr 07, 2026 - 22:16 vuln.today
CVE Published
Apr 07, 2026 - 21:51 nvd
MEDIUM 6.9

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS).This issue affects non release branches.

AnalysisAI

Cross-site scripting (XSS) in Wikimedia Foundation's MediaWiki GlobalWatchlist Extension enables unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers with critical impact across confidentiality, integrity, and availability (CVSS 10.0). This vulnerability affects only non-release development branches, not production deployments. No public exploit identified at time of analysis, though the publicly accessible Phabricator task and Gerrit code review may facilitate proof-of-concept development.

Technical ContextAI

The GlobalWatchlist Extension for MediaWiki fails to properly sanitize user-controlled input before rendering it in web pages, creating a stored or reflected XSS condition classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). MediaWiki extensions handle user input through PHP-based rendering pipelines that generate HTML output. When input validation or output encoding is insufficient, attackers can inject malicious JavaScript that executes in the security context of the MediaWiki application. The affected component is identified as cpe:2.3:a:the_wikimedia_foundation:mediawiki_-_globalwatchlist_extension:*:*:*:*:*:*:*:*, though this CPE lacks specific version boundaries. The Gerrit code review reference (I1fc7b7e1d234b0aaf9f7d782a65da1451577587e) points to the specific code change addressing the input neutralization failure, while Phabricator task T418179 provides the vulnerability discovery context.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed. The Gerrit code review at https://gerrit.wikimedia.org/r/q/I1fc7b7e1d234b0aaf9f7d782a65da1451577587e contains the remediation commit implementing proper input sanitization. Organizations tracking non-release branches should merge change-id I1fc7b7e1d234b0aaf9f7d782a65da1451577587e into their development environments immediately. Production deployments using released extension versions require no action as they were never vulnerable. For development environments that cannot immediately update, temporary workarounds include restricting network access to development MediaWiki instances to trusted IP ranges only, implementing web application firewall rules to block common XSS payloads in requests to GlobalWatchlist endpoints, or temporarily disabling the GlobalWatchlist Extension until the fix is integrated. Monitor the Phabricator task T418179 for additional vendor guidance and confirmation of the fix's inclusion in future stable releases.

Share

CVE-2026-39933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy