Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - CampaignEvents Extension: 1.43.7, 1.44.4, 1.45.2.
AnalysisAI
Improper input neutralization in Mediawiki CampaignEvents Extension versions 1.43.7, 1.44.4, and 1.45.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in user browsers via cross-site scripting (XSS). The vulnerability affects web page generation with a CVSS 4.0 base score of 6.9, indicating low confidentiality, integrity, and availability impact across both changed and unchanged security scopes.
Technical ContextAI
This is a classic reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a Mediawiki extension responsible for campaign event management. The CampaignEvents Extension fails to properly encode or sanitize user-supplied input before rendering it in HTML output, allowing attackers to break out of the intended context and inject malicious scripts. The vulnerability exists in multiple active versions (1.43.7, 1.44.4, and 1.45.2) of the extension, which suggests it likely affects the input handling logic across these versions. Since this is a Mediawiki extension rather than core, it is deployed only on instances where explicitly installed, limiting blast radius compared to core platform vulnerabilities.
RemediationAI
Update the Mediawiki CampaignEvents Extension to a patched version released after 1.45.2. Review the upstream fix committed to the Gerrit code repository at https://gerrit.wikimedia.org/r/c/1249320 to understand the input sanitization changes required. If immediate patching is unavailable, disable the CampaignEvents Extension until a security update is available, or restrict campaign event creation and editing to trusted administrative users only to reduce exposure surface.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19980