Skip to main content

Wikimedia Scribunto EUVD-2026-29061

| CVE-2026-34089 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 wikimedia-foundation GHSA-mcf6-vhp9-g7jr
XSS Scribunto
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 18:00 vuln.today
Patch available
May 11, 2026 - 17:01 EUVD
CVSS changed
May 11, 2026 - 16:22 NVD
2.3 (LOW)
CVE Published
May 11, 2026 - 14:46 nvd
LOW 2.3
CVE Published
May 11, 2026 - 14:46 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Vulnerability in Wikimedia Foundation Scribunto.

This issue affects Scribunto: from 1.45.0 before 1.45.2.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Wikimedia Scribunto 1.45.0 through 1.45.1 allows authenticated users to inject malicious scripts that may be executed in the context of other users' browsers, potentially compromising session security and enabling unauthorized actions on affected wiki installations. The vulnerability requires login credentials and elevated attack complexity but carries low availability impact; CVSS 2.3 reflects limited real-world threat when combined with the authentication requirement.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains wiki editor account
Delivery
Creates malicious Lua module or template
Exploit
Injects unescaped JavaScript into module output
Execution
Victim editor views the page
Persist
Browser executes injected script in victim's session context
Impact
Attacker gains unauthorized access to victim's wiki permissions
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid wiki user account with edit permissions in at least one namespace where Scribunto modules or templates can be created or modified (typically Template or Module namespace on public wikis, but restricted on private/internal wikis). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is significantly lower than raw CVSS suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A logged-in wiki editor crafts a Lua module or template that injects malicious JavaScript through Scribunto's output generation. When the resulting wiki page is rendered and viewed by other editors or administrators, the injected script executes in their browsers with the permissions of their wiki accounts, potentially stealing session cookies, modifying page content, or escalating privileges if the viewer holds admin rights.
Remediation Upgrade Scribunto to version 1.45.2 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-29061 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy