Skip to main content

MediaWiki Cargo Extension CVE-2026-58519

| EUVDEUVD-2026-40901 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 wikimedia-foundation GHSA-r23x-87q7-xq2f
6.9
CVSS 4.0 · Vendor: wikimedia-foundation
Share

Severity by source

Vendor (wikimedia-foundation) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-reachable stored XSS with no complexity; PR:N reflects open-editing wikis; UI:R required as victim must load the poisoned page; scope changes to browser context.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (wikimedia-foundation).

CVSS VectorVendor: wikimedia-foundation

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 06:01 EUVD
Analysis Generated
Jul 01, 2026 - 05:26 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.

This issue affects Mediawiki - Cargo Extension: from * before 3.9.1.

AnalysisAI

Stored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows attackers to inject persistent malicious scripts into wiki pages rendered through the Cargo data-display system. The CVSS 4.0 vector carries E:A (evidence of active exploitation), elevating this beyond a theoretical risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain wiki editing access (or use anonymous editing)
Delivery
Inject script payload into a Cargo-tracked structured data field
Exploit
Cargo stores unsanitized payload in database
Execution
Victim loads a wiki page rendering the Cargo query
Persist
Browser executes injected script
Impact
Exfiltrate session token or deliver secondary payload

Vulnerability AssessmentAI

Exploitation The Cargo Extension must be installed and active on the MediaWiki instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 and the E:A exploitation evidence modifier together indicate an actively exploited, medium-high severity vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with editing access (or none, if anonymous editing is enabled) submits a Cargo-tracked wiki page containing a malicious payload such as a script tag within a structured data field - for example, a Cargo table value like a name or description field. The Cargo extension stores this unsanitized value in its database. …
Remediation Upgrade the MediaWiki Cargo Extension to version 3.9.1 or later, which incorporates the fix committed in Gerrit change 1277612 (https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1277612). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy