Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Score Extension.
AnalysisAI
Stored cross-site scripting (XSS) vulnerability in Mediawiki Score Extension allows unauthenticated remote attackers to inject malicious scripts that execute in the context of wiki pages, potentially compromising user sessions and enabling defacement or data theft. The vulnerability exists due to improper input neutralization during web page generation (CWE-79). Affected versions include 1.45.2, 1.43.7, and 1.44.4, with patches available from Wikimedia Foundation.
Technical ContextAI
The Mediawiki Score Extension processes user-supplied input when rendering musical notation and score data within wiki pages. The extension fails to properly sanitize or encode user input before embedding it into the HTML output, allowing attackers to inject arbitrary JavaScript code. This is a classic stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where malicious payloads are persisted in wiki content and executed in the browsers of all users viewing the affected page. The extension's role in rendering specialized score markup makes it a logical injection point if input validation is insufficient.
RemediationAI
Upgrade the Mediawiki Score Extension to version 1.43.7, 1.44.4, or 1.45.2 depending on your current Mediawiki version series. The patches have been released and are available through Wikimedia's Gerrit repository (https://gerrit.wikimedia.org/r/q/I1fb2913bc32328cbc4ecd4b4ad4a4788fb98c56c) and are tracked in Phabricator (https://phabricator.wikimedia.org/T419186). After patching, verify the update by confirming the extension version in your Mediawiki Special:Version page. If immediate patching is not possible, consider disabling the Score Extension temporarily on your wiki until the patch can be applied, as this will prevent the injection vector from being exploited.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19982
GHSA-fmf5-9m5j-xgw3