Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
PR:L reflects required authenticated access; S:C and C:L/I:L capture XSS browser-side impact - session theft and DOM manipulation - which the all-N provided vector omits.
Primary rating from Vendor (wikimedia-foundation).
CVSS VectorVendor: wikimedia-foundation
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.
This issue affects MediaWiki: from 1.46.0-rc.0 before 1.46.0.
AnalysisAI
Cross-site scripting in MediaWiki's ApiSandbox component (ApiSandboxLayout.js) allows an authenticated attacker to inject malicious JavaScript that executes in the browser of a victim who interacts with a crafted ApiSandbox page. Only MediaWiki 1.46.0-rc.0 is confirmed affected; the 1.46.0 stable release resolves the flaw, meaning real-world exposure is limited to deployments running the release candidate. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a low-privilege authenticated account on the target MediaWiki instance (confirmed by PR:L in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N) presents an internal tension: it correctly identifies a network-reachable, low-complexity flaw requiring low privileges and passive user interaction, yet assigns all confidentiality, integrity, and availability metrics as N (no impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privilege MediaWiki account crafts a malicious ApiSandbox URL or page state that embeds unsanitized script content via the vulnerable ApiSandboxLayout.js rendering path, then social-engineers a higher-privileged user into visiting the ApiSandbox with that crafted input. When the victim's browser renders the sandbox layout, the injected script executes in their session, potentially harvesting authentication cookies or performing API actions on their behalf. … |
| Remediation | The primary remediation is to upgrade to MediaWiki 1.46.0 stable, which resolves the vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is
The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4,
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. Rated critical severity (CVSS 9.8), thi
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf
The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQ
An issue was discovered in MediaWiki through 1.37.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely
An issue was discovered in MediaWiki through 1.37.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Rated critical severity (CVSS 9.8), this
An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36. Rated critical severity (CVSS 9.8), this
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnera
An issue was discovered in the FileImporter extension in MediaWiki through 1.36. Rated high severity (CVSS 8.8), this vu
The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14,
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41012
GHSA-f942-cxv6-p9mx