Skip to main content

Mediawiki Campaignevents Extension CVE-2026-39935

| EUVDEUVD-2026-19980 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 wikimedia-foundation
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 23:00 euvd
EUVD-2026-19980
Analysis Generated
Apr 07, 2026 - 23:00 vuln.today
CVE Published
Apr 07, 2026 - 22:04 nvd
MEDIUM 6.9

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - CampaignEvents Extension: 1.43.7, 1.44.4, 1.45.2.

AnalysisAI

Improper input neutralization in Mediawiki CampaignEvents Extension versions 1.43.7, 1.44.4, and 1.45.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in user browsers via cross-site scripting (XSS). The vulnerability affects web page generation with a CVSS 4.0 base score of 6.9, indicating low confidentiality, integrity, and availability impact across both changed and unchanged security scopes.

Technical ContextAI

This is a classic reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a Mediawiki extension responsible for campaign event management. The CampaignEvents Extension fails to properly encode or sanitize user-supplied input before rendering it in HTML output, allowing attackers to break out of the intended context and inject malicious scripts. The vulnerability exists in multiple active versions (1.43.7, 1.44.4, and 1.45.2) of the extension, which suggests it likely affects the input handling logic across these versions. Since this is a Mediawiki extension rather than core, it is deployed only on instances where explicitly installed, limiting blast radius compared to core platform vulnerabilities.

RemediationAI

Update the Mediawiki CampaignEvents Extension to a patched version released after 1.45.2. Review the upstream fix committed to the Gerrit code repository at https://gerrit.wikimedia.org/r/c/1249320 to understand the input sanitization changes required. If immediate patching is unavailable, disable the CampaignEvents Extension until a security update is available, or restrict campaign event creation and editing to trusted administrative users only to reduce exposure surface.

Share

CVE-2026-39935 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy