Mediawiki Charts Extension
Monthly
Cross-site scripting in the Wikimedia Foundation's MediaWiki Charts Extension allows network-accessible, unauthenticated attackers to inject malicious JavaScript into wiki pages that render chart content. All installations running the Charts Extension across the 1.43.x, 1.44.x, and 1.45.x branches prior to fixed releases 1.43.9, 1.44.6, and 1.45.4 are affected. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the CVSS 4.0 vector's PR:N and UI:N designations indicate the attack requires neither attacker credentials nor victim interaction beyond page rendering, which is atypical for classical reflected XSS and elevates practical exploitability.
Cross-site scripting in the Wikimedia Foundation's MediaWiki Charts Extension allows network-accessible, unauthenticated attackers to inject malicious JavaScript into wiki pages that render chart content. All installations running the Charts Extension across the 1.43.x, 1.44.x, and 1.45.x branches prior to fixed releases 1.43.9, 1.44.6, and 1.45.4 are affected. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the CVSS 4.0 vector's PR:N and UI:N designations indicate the attack requires neither attacker credentials nor victim interaction beyond page rendering, which is atypical for classical reflected XSS and elevates practical exploitability.