Skip to main content

Centralauth

1 CVEs product

Monthly

CVE-2026-58028 NONE PATCH Awaiting Data

Cross-site scripting in Wikimedia Foundation MediaWiki and the CentralAuth extension allows authenticated low-privileged users to inject malicious scripts into rendered wiki pages or API output through unsanitized input in API formatting, ResourceLoader module handling, page display hooks, and permission change log formatting. Affected versions span all releases of both products prior to the 1.46.0, 1.45.4, 1.44.6, and 1.43.9 patch series. No public exploit code or CISA KEV listing has been identified at time of analysis, though the five affected PHP files suggest a broad attack surface across core MediaWiki subsystems.

XSS PHP Mediawiki Centralauth
NVD VulDB
EPSS
0.4%
EPSS 0%
NONE PATCH Awaiting Data

Cross-site scripting in Wikimedia Foundation MediaWiki and the CentralAuth extension allows authenticated low-privileged users to inject malicious scripts into rendered wiki pages or API output through unsanitized input in API formatting, ResourceLoader module handling, page display hooks, and permission change log formatting. Affected versions span all releases of both products prior to the 1.46.0, 1.45.4, 1.44.6, and 1.43.9 patch series. No public exploit code or CISA KEV listing has been identified at time of analysis, though the five affected PHP files suggest a broad attack surface across core MediaWiki subsystems.

XSS PHP Mediawiki +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy