Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
AnalysisAI
Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject malicious scripts via improper HTML tag neutralization, affecting all installations of the extension using vulnerable versions. The vulnerability requires user interaction (page view) to trigger, and impacts script integrity and site integrity for affected wiki installations. No public exploit code or active exploitation has been reported at the time of analysis.
Technical ContextAI
The Cargo Extension for MediaWiki is a data management and querying system that extends wiki functionality. The vulnerability stems from CWE-80 (Improper Neutralization of Script-Related HTML Tags), indicating the extension fails to properly sanitize or escape HTML input containing script tags before storing and rendering user-supplied content. This is a classic stored XSS flaw where malicious payloads are persisted in the wiki database and executed in the browsers of subsequent users who view affected pages. The CVSS 4.0 vector (AV:N/AC:L/PR:L/UI:P) confirms network-accessible attack surface, low complexity, authenticated attacker requirement (PR:L), and user interaction dependency (UI:P), suggesting the attack occurs through normal wiki editing workflows where an authenticated editor inserts malicious HTML/script into wiki content managed by Cargo.
RemediationAI
Upgrade Mediawiki Cargo Extension to version 3.8.7 or later immediately. The upstream fix is available via two commits in the Wikimedia Gerrit repository: commit 1237957 and commit 1237977 (referenced at gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237957 and gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237977). Wiki administrators should update their extension via standard MediaWiki extension management tools or by pulling the latest code from the Wikimedia Git repository. No known workarounds exist for versions prior to 3.8.7; patching is the primary remediation path. Verify the upgrade through the special pages interface or extension version reporting in MediaWiki administration panels.
More in Mediawiki Cargo Extension
View allStored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows a
SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated databa
SQL injection in the Wikimedia Foundation's Cargo Extension for MediaWiki exposes all installations running versions pri
Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to in
Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissi
Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19891
GHSA-r77j-8275-g6jm