Skip to main content

Mediawiki Cargo Extension

7 CVEs product

Monthly

CVE-2026-14363 MEDIUM PATCH This Month

SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated database read and write operations across all versions prior to 1.43.9, 1.44.6, and 1.45.4. The Cargo extension's core function - accepting user-supplied query parameters to construct database queries - makes this a structurally sensitive attack surface, as improper neutralization of SQL special elements allows crafted input to escape intended query boundaries. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the PR:N/AC:L/AT:N CVSS 4.0 vector confirms exploitation requires no authentication or special preconditions against default-accessible Cargo query endpoints.

SQLi Mediawiki Cargo Extension Red Hat
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-58521 MEDIUM PATCH This Month

SQL injection in the Wikimedia Foundation's Cargo Extension for MediaWiki exposes all installations running versions prior to 1.43.9, 1.44.6, or 1.45.4 to unauthenticated database manipulation via the Cargo query interface. The flaw stems from improper neutralization of user-controlled input incorporated into SQL statements without adequate parameterization, allowing attackers to read, modify, or partially disrupt data stored in Cargo-managed tables. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 vector confirms low-complexity, network-accessible exploitation requiring no authentication or user interaction.

SQLi Mediawiki Cargo Extension
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-58519 MEDIUM PATCH This Month

Stored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows attackers to inject persistent malicious scripts into wiki pages rendered through the Cargo data-display system. The CVSS 4.0 vector carries E:A (evidence of active exploitation), elevating this beyond a theoretical risk. Successful exploitation enables session hijacking, credential theft, and in-browser payload delivery against any user who views an affected Cargo-rendered page.

XSS Mediawiki Cargo Extension
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-39837 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts via improper neutralization of HTML tags, enabling persistent client-side attacks against other users viewing affected content. The vulnerability requires user interaction (page view) but grants attackers the ability to modify page content and session information for victims, with CVSS 6.3 reflecting medium severity and EPSS exploitation probability not independently confirmed from available data.

XSS Mediawiki Cargo Extension
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-39841 MEDIUM PATCH This Month

Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissions to inject malicious scripts via improper neutralization of HTML script tags, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers when stored content is viewed. The vulnerability requires user interaction (page view) and authenticated access but carries high scope impact on integrity and confidentiality through script injection in a collaborative wiki environment.

XSS Mediawiki Cargo Extension
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-39840 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts into non-script page elements through improper input neutralization. The vulnerability requires user interaction (UI:P) and has limited scope impact, affecting only the confidentiality and integrity of session data. No public exploit code or active exploitation has been identified at the time of analysis.

XSS Mediawiki Cargo Extension
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-39839 MEDIUM PATCH This Month

Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject malicious scripts via improper HTML tag neutralization, affecting all installations of the extension using vulnerable versions. The vulnerability requires user interaction (page view) to trigger, and impacts script integrity and site integrity for affected wiki installations. No public exploit code or active exploitation has been reported at the time of analysis.

XSS Mediawiki Cargo Extension
NVD
CVSS 4.0
6.3
EPSS
0.0%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated database read and write operations across all versions prior to 1.43.9, 1.44.6, and 1.45.4. The Cargo extension's core function - accepting user-supplied query parameters to construct database queries - makes this a structurally sensitive attack surface, as improper neutralization of SQL special elements allows crafted input to escape intended query boundaries. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the PR:N/AC:L/AT:N CVSS 4.0 vector confirms exploitation requires no authentication or special preconditions against default-accessible Cargo query endpoints.

SQLi Mediawiki Cargo Extension Red Hat
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

SQL injection in the Wikimedia Foundation's Cargo Extension for MediaWiki exposes all installations running versions prior to 1.43.9, 1.44.6, or 1.45.4 to unauthenticated database manipulation via the Cargo query interface. The flaw stems from improper neutralization of user-controlled input incorporated into SQL statements without adequate parameterization, allowing attackers to read, modify, or partially disrupt data stored in Cargo-managed tables. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 vector confirms low-complexity, network-accessible exploitation requiring no authentication or user interaction.

SQLi Mediawiki Cargo Extension
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows attackers to inject persistent malicious scripts into wiki pages rendered through the Cargo data-display system. The CVSS 4.0 vector carries E:A (evidence of active exploitation), elevating this beyond a theoretical risk. Successful exploitation enables session hijacking, credential theft, and in-browser payload delivery against any user who views an affected Cargo-rendered page.

XSS Mediawiki Cargo Extension
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts via improper neutralization of HTML tags, enabling persistent client-side attacks against other users viewing affected content. The vulnerability requires user interaction (page view) but grants attackers the ability to modify page content and session information for victims, with CVSS 6.3 reflecting medium severity and EPSS exploitation probability not independently confirmed from available data.

XSS Mediawiki Cargo Extension
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissions to inject malicious scripts via improper neutralization of HTML script tags, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers when stored content is viewed. The vulnerability requires user interaction (page view) and authenticated access but carries high scope impact on integrity and confidentiality through script injection in a collaborative wiki environment.

XSS Mediawiki Cargo Extension
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts into non-script page elements through improper input neutralization. The vulnerability requires user interaction (UI:P) and has limited scope impact, affecting only the confidentiality and integrity of session data. No public exploit code or active exploitation has been identified at the time of analysis.

XSS Mediawiki Cargo Extension
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject malicious scripts via improper HTML tag neutralization, affecting all installations of the extension using vulnerable versions. The vulnerability requires user interaction (page view) to trigger, and impacts script integrity and site integrity for affected wiki installations. No public exploit code or active exploitation has been reported at the time of analysis.

XSS Mediawiki Cargo Extension
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy