Skip to main content

CheckUser CVE-2026-58034

| EUVDEUVD-2026-41011 NONE
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 wikimedia-foundation GHSA-5m8f-rxqc-4gpj

Severity by source

Vendor (wikimedia-foundation) PRIMARY
0.0 NONE
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
vuln.today AI
4.8 MEDIUM

PR:H reflects required CheckUser privileges; UI:R for victim interaction; S:C for browser-context script execution; no availability impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (wikimedia-foundation).

CVSS VectorVendor: wikimedia-foundation

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 16:01 EUVD
Analysis Generated
Jul 01, 2026 - 14:58 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser.

This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue.

This issue affects CheckUser: from 1.46.0-rc.0 before 1.46.0.

AnalysisAI

Cross-site scripting in the Wikimedia Foundation CheckUser extension (versions 1.46.0-rc.0 up to but not including 1.46.0) allows a high-privileged attacker to inject malicious scripts via the blockConnectedTempAccountsField Vue component used in the Temporary Accounts blocking workflow. Exploitation requires both elevated CheckUser-level privileges and active user interaction from another party, materially constraining real-world risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains CheckUser privileges
Delivery
Submits XSS payload via block temp accounts field
Exploit
Victim CheckUser views manipulated block interface
Execution
Injected script executes in victim browser
Impact
Victim session or actions compromised

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker already holds CheckUser-level privileges on the target MediaWiki installation - a role restricted to a small set of trusted administrators and not available to ordinary registered users or anonymous visitors. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is very low despite the network-accessible vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds CheckUser-level privileges on a MediaWiki installation running CheckUser 1.46.0-rc.0 crafts a malicious input payload and submits it through the Temporary Accounts block interface, injecting script content into the blockConnectedTempAccountsField. A second privileged user (e.g., another CheckUser or administrator) who subsequently views the block interface encounters the injected script, which executes in their browser, potentially exfiltrating session cookies or performing actions on their behalf. …
Remediation Upgrade CheckUser to version 1.46.0 or later, which corrects the neutralization flaw in the blockConnectedTempAccountsField Vue component. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58034 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy