Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.This issue affects .
AnalysisAI
Improper input neutralization in the Wikimedia MediaWiki ProofreadPage Extension allows cross-site scripting (XSS) attacks targeting non-script elements via unauthenticated remote requests. The vulnerability has a CVSS 4.0 base score of 6.9 with network-accessible attack vector and low integrity and confidentiality impact. No public exploit code or active exploitation (KEV status) is documented at time of analysis, though the low attack complexity and absence of privilege requirements make this a practical threat to deployed MediaWiki instances using this extension.
Technical ContextAI
The ProofreadPage Extension for Wikimedia MediaWiki fails to properly neutralize user-supplied input during dynamic web page generation, creating a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability. This class of flaw allows attackers to inject malicious scripts that execute in users' browsers without proper output encoding or content security mechanisms. The extension, deployed across MediaWiki installations to enable collaborative document proofreading workflows, processes user input without adequate sanitization before rendering it in HTML responses, enabling XSS payloads that target non-script DOM elements (such as event handlers on tags like img, svg, or iframe). The affected product is identified by CPE string cpe:2.3:a:wikimedia_foundation:mediawiki_-_proofreadpage_extension:*:*:*:*:*:*:*:*, indicating all versions of the extension are potentially impacted pending vendor patch confirmation.
RemediationAI
Patch available per vendor advisory. Organizations should update the ProofreadPage Extension to the latest patched version released by the Wikimedia Foundation, checking https://phabricator.wikimedia.org/T406088 for specific version numbers and release notes. As an interim mitigation before patching, administrators may consider disabling the ProofreadPage Extension on non-critical MediaWiki instances or restricting access to the affected functionality using authentication and authorization controls. Additionally, implementing Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting non-script elements, and reviewing Content Security Policy (CSP) headers on affected MediaWiki instances, can reduce exploitation risk until patches are applied. Regular monitoring of gerrit.wikimedia.org for extension updates is recommended for maintaining security in deployed MediaWiki environments.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19889