Skip to main content

MediaWiki EUVDEUVD-2026-41014

| CVE-2026-58032 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 wikimedia-foundation GHSA-2pj3-wqpx-g8cm
5.3
CVSS 4.0 · Vendor: wikimedia-foundation
Share

Severity by source

Vendor (wikimedia-foundation) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable with no privileges required, but victim interaction needed; only limited confidentiality impact with no integrity or availability effect, and no scope change.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wikimedia-foundation).

CVSS VectorVendor: wikimedia-foundation

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 17:01 EUVD
Analysis Generated
Jul 01, 2026 - 16:03 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files resources/src/mediawiki.Api/index.Js.

This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

AnalysisAI

Cross-site scripting in MediaWiki's JavaScript API client layer (resources/src/mediawiki.Api/index.js) allows network-accessible, unauthenticated attackers to inject malicious scripts that execute in a victim's browser upon user interaction. All MediaWiki deployments prior to versions 1.43.9, 1.44.6, 1.45.4, and 1.46.0 are affected, covering a broad range of wiki installations worldwide. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious payload in wiki content or URL
Delivery
Victim visits attacker-influenced page
Exploit
Browser loads mediawiki.Api index.js
Execution
Unsanitized data injected into DOM
Persist
Malicious script executes in victim browser session
Impact
Limited data exfiltration or session abuse

Vulnerability AssessmentAI

Exploitation User interaction is required - a victim must visit or actively interact with an attacker-influenced page (UI:P per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) accurately reflects the real-world risk profile: network-accessible (AV:N), low complexity (AC:L), no privileges required (PR:N), but critically gated by user interaction (UI:P), with only limited confidentiality impact (VC:L) and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits crafted wiki content or constructs a URL that causes mediawiki.Api/index.js to process unsanitized input and write it into the page DOM. When a victim user visits or interacts with the attacker-influenced page - such as clicking a link shared in a talk page or external site - the injected script executes in their browser session, potentially exfiltrating session tokens or performing API actions under the victim's identity. …
Remediation Upgrade MediaWiki to one of the patched releases: 1.43.9, 1.44.6, 1.45.4, or 1.46.0, depending on the branch in use. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2014-1610 MEDIUM POC
6.0 Jan 30

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is

CVE-2015-8009 CRITICAL POC
9.8 Jul 25

The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4,

CVE-2023-37303 CRITICAL POC
9.8 Jun 30

An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. Rated critical severity (CVSS 9.8), thi

CVE-2022-29906 CRITICAL POC
9.8 Apr 29

The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf

CVE-2022-29904 CRITICAL POC
9.8 Apr 29

The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQ

CVE-2022-28206 CRITICAL POC
9.8 Mar 30

An issue was discovered in MediaWiki through 1.37.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2022-28205 CRITICAL POC
9.8 Mar 30

An issue was discovered in MediaWiki through 1.37.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2021-36128 CRITICAL POC
9.8 Jul 02

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Rated critical severity (CVSS 9.8), this

CVE-2021-36126 CRITICAL POC
9.8 Jul 02

An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36. Rated critical severity (CVSS 9.8), this

CVE-2017-8809 CRITICAL
9.8 Nov 15

api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnera

CVE-2021-36132 HIGH POC
8.8 Jul 02

An issue was discovered in the FileImporter extension in MediaWiki through 1.36. Rated high severity (CVSS 8.8), this vu

CVE-2014-9277 HIGH POC
7.5 Jan 04

The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14,

Share

EUVD-2026-41014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy