Skip to main content

MediaWiki UrlShortener EUVDEUVD-2026-41099

| CVE-2026-58520 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-07-01 wikimedia-foundation GHSA-q84p-w2wj-782m
6.9
CVSS 4.0 · Vendor: wikimedia-foundation
Share

Severity by source

Vendor (wikimedia-foundation) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Open redirect exploitation requires victim to click a crafted link (UI:R); redirect crosses to external domain establishing scope change (S:C); no availability impact applies to this class of vulnerability.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (wikimedia-foundation).

CVSS VectorVendor: wikimedia-foundation

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 19:02 EUVD
Analysis Generated
Jul 01, 2026 - 18:23 vuln.today

DescriptionCVE.org

URL redirection to untrusted site ('open redirect') vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing.

This issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4.

AnalysisAI

Open redirect exploitation in the Wikimedia Foundation MediaWiki UrlShortener Extension enables unauthenticated network attackers to craft shortened URLs hosted on trusted MediaWiki domains that silently redirect victims to arbitrary external sites, facilitating phishing and Cross-Site Flashing attacks. All versions of the extension prior to 1.43.9, 1.44.6, and 1.45.4 across their respective branches are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify MediaWiki site with UrlShortener Extension enabled
Delivery
Submit request to create shortened URL targeting malicious domain
Exploit
Distribute crafted short link via phishing channel
Execution
Victim clicks trusted-domain short URL
Persist
Extension resolves redirect to attacker-controlled site
Impact
Victim exposed to phishing or malicious content

Vulnerability AssessmentAI

Exploitation The UrlShortener Extension must be installed and active on the target MediaWiki instance, and the instance must be running a version prior to 1.43.9, 1.44.6, or 1.45.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) scores 6.9 (Medium) and flags no user interaction as required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a shortened URL on a high-trust MediaWiki deployment (such as a Wikipedia project wiki) that maps to a malicious external domain hosting a credential-harvesting phishing page. The attacker distributes the resulting short link through email or social media, exploiting the trusted parent domain reputation to bypass user suspicion and URL-filtering controls. …
Remediation Upgrade the MediaWiki UrlShortener Extension to the patched release corresponding to your MediaWiki branch: 1.43.9, 1.44.6, or 1.45.4. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

EUVD-2026-41099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy