Skip to main content

EUVDEUVD-2026-19851

| CVE-2026-22711 MEDIUM
Improper Neutralization of Alternate XSS Syntax (CWE-87)
2026-04-07 c4f26cc8-17ff-4c99-b5e2-38fc1793eacc GHSA-cp48-9xx4-pmj6
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 19:22 euvd
EUVD-2026-19851
Analysis Generated
Apr 07, 2026 - 19:22 vuln.today
CVE Published
Apr 07, 2026 - 19:16 nvd
MEDIUM 6.9

DescriptionCVE.org

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikilove Extension: 1.43.7, 1.44.4, 1.45.2.

AnalysisAI

Cross-site scripting (XSS) in the Mediawiki Wikilove Extension via improper neutralization of alternate XSS syntax allows unauthenticated remote attackers to inject malicious scripts with low complexity attack surface. The vulnerability affects Mediawiki Wikilove Extension versions 1.43.7, 1.44.4, and 1.45.2, enabling stored or reflected XSS attacks that can compromise user sessions, steal credentials, or deface wiki content. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no user interaction or privileges, making it a moderate-risk priority for affected wiki administrators.

Technical ContextAI

The Wikilove Extension for Mediawiki is a social extension that facilitates friendly inter-wiki communication through templates and notifications. The vulnerability stems from CWE-87 (Improper Neutralization of Alternate XSS Syntax), which indicates the extension fails to properly sanitize or encode user-controlled input before rendering it in HTML context. Rather than filtering standard HTML tags, attackers can bypass filters using alternate XSS syntax patterns-such as HTML entities, Unicode encoding, protocol handlers (javascript:, data:), or event handler variations-that are not caught by simplistic input validation. The flaw likely exists in template processing, user input fields within wiki markup, or notification rendering components where Wikilove constructs HTML without adequate context-aware output encoding. Affected products include Mediawiki Wikilove Extension CPE mediawiki:wikilove across versions 1.43.7, 1.44.4, and 1.45.2, though other versions may also be vulnerable.

Affected ProductsAI

Mediawiki Wikilove Extension versions 1.43.7, 1.44.4, and 1.45.2 are confirmed affected. The CPE identifier for the extension is mediawiki:wikilove. The vulnerability exists in the core Wikilove template and notification processing logic; any Mediawiki installation using the Wikilove Extension at these specific versions is at risk. Administrators using earlier or later versions should verify their patch status against the Wikimedia Gerrit repository and Phabricator tracking ticket T416502.

RemediationAI

Apply security patches released by The Wikimedia Foundation for the Wikilove Extension. Administrators should update to patched versions beyond 1.45.2 or consult the Wikimedia Gerrit review at https://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3 and Phabricator task T416502 at https://phabricator.wikimedia.org/T416502 for exact fixed versions and deployment instructions. As an interim workaround pending patching, restrict edit permissions on wiki pages that use Wikilove templates to trusted users, disable the Wikilove Extension temporarily if not critical to operations, and implement Web Application Firewall (WAF) rules to block alternate XSS encoding patterns (Unicode escapes, HTML entities in attribute contexts, javascript: and data: protocol handlers). Monitor wiki edit logs and user notifications for suspicious activity indicative of XSS injection attempts.

Share

EUVD-2026-19851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy