Skip to main content

Mediawiki Score Extension CVE-2026-39936

| EUVDEUVD-2026-19982 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 wikimedia-foundation GHSA-fmf5-9m5j-xgw3
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 23:00 euvd
EUVD-2026-19982
Analysis Generated
Apr 07, 2026 - 23:00 vuln.today
CVE Published
Apr 07, 2026 - 22:11 nvd
MEDIUM 6.9

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Score Extension.

AnalysisAI

Stored cross-site scripting (XSS) vulnerability in Mediawiki Score Extension allows unauthenticated remote attackers to inject malicious scripts that execute in the context of wiki pages, potentially compromising user sessions and enabling defacement or data theft. The vulnerability exists due to improper input neutralization during web page generation (CWE-79). Affected versions include 1.45.2, 1.43.7, and 1.44.4, with patches available from Wikimedia Foundation.

Technical ContextAI

The Mediawiki Score Extension processes user-supplied input when rendering musical notation and score data within wiki pages. The extension fails to properly sanitize or encode user input before embedding it into the HTML output, allowing attackers to inject arbitrary JavaScript code. This is a classic stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where malicious payloads are persisted in wiki content and executed in the browsers of all users viewing the affected page. The extension's role in rendering specialized score markup makes it a logical injection point if input validation is insufficient.

RemediationAI

Upgrade the Mediawiki Score Extension to version 1.43.7, 1.44.4, or 1.45.2 depending on your current Mediawiki version series. The patches have been released and are available through Wikimedia's Gerrit repository (https://gerrit.wikimedia.org/r/q/I1fb2913bc32328cbc4ecd4b4ad4a4788fb98c56c) and are tracked in Phabricator (https://phabricator.wikimedia.org/T419186). After patching, verify the update by confirming the extension version in your Mediawiki Special:Version page. If immediate patching is not possible, consider disabling the Score Extension temporarily on your wiki until the patch can be applied, as this will prevent the injection vector from being exploited.

Share

CVE-2026-39936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy