Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-39841 (GCVE-0-2026-39841)
Vulnerability from cvelistv5 – Published: 2026-04-07 19:43 – Updated: 2026-04-07 20:42
VLAI
EPSS
Title
Stored XSS through list fields on Cargo's page values and Special:CargoTables
Summary
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wikimedia Foundation | Mediawiki - Cargo Extension |
Affected:
0 , < 3.8.7
(custom)
|
Credits
Alex44019
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39841",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T20:32:32.993981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T20:42:42.588Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Cargo Extension",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "3.8.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex44019"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.\u003cp\u003eThis issue affects Mediawiki - Cargo Extension: before 3.8.7.\u003c/p\u003e"
}
],
"value": "Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T20:01:29.127Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T416389"
},
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237973"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS through list fields on Cargo\u0027s page values and Special:CargoTables",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-39841",
"datePublished": "2026-04-07T19:43:48.096Z",
"dateReserved": "2026-04-07T18:21:12.573Z",
"dateUpdated": "2026-04-07T20:42:42.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-39841",
"date": "2026-06-17",
"epss": "0.00158",
"percentile": "0.05311"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-39841\",\"sourceIdentifier\":\"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\",\"published\":\"2026-04-07T20:16:34.077\",\"lastModified\":\"2026-04-15T23:42:09.723\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-80\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mediawiki:cargo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.8.7\",\"matchCriteriaId\":\"2DC55253-9AE6-42A2-8B71-5ED6A28A1DF8\"}]}]}],\"references\":[{\"url\":\"https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237973\",\"source\":\"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\",\"tags\":[\"Patch\"]},{\"url\":\"https://phabricator.wikimedia.org/T416389\",\"source\":\"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\", \"shortName\": \"wikimedia-foundation\", \"dateUpdated\": \"2026-04-07T20:01:29.127Z\"}, \"title\": \"Stored XSS through list fields on Cargo\u0027s page values and Special:CargoTables\", \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)\", \"type\": \"CWE\"}]}], \"impacts\": [{\"capecId\": \"CAPEC-592\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-592 Stored XSS\"}]}], \"affected\": [{\"vendor\": \"Wikimedia Foundation\", \"product\": \"Mediawiki - Cargo Extension\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.8.7\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.\u003cp\u003eThis issue affects Mediawiki - Cargo Extension: before 3.8.7.\u003c/p\u003e\"}]}], \"references\": [{\"url\": \"https://phabricator.wikimedia.org/T416389\"}, {\"url\": \"https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237973\"}], \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"PASSIVE\", \"vulnConfidentialityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"Safety\": \"NOT_DEFINED\", \"Automatable\": \"NOT_DEFINED\", \"Recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"version\": \"4.0\", \"baseSeverity\": \"MEDIUM\", \"baseScore\": 6.3, \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N\"}}], \"credits\": [{\"lang\": \"en\", \"value\": \"Alex44019\", \"type\": \"finder\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39841\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-07T20:32:32.993981Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-04-07T20:39:22.547Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-39841\", \"assignerOrgId\": \"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"wikimedia-foundation\", \"dateReserved\": \"2026-04-07T18:21:12.573Z\", \"datePublished\": \"2026-04-07T19:43:48.096Z\", \"dateUpdated\": \"2026-04-07T20:01:29.127Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-39841
Vulnerability from fkie_nvd - Published: 2026-04-07 20:16 - Updated: 2026-06-17 10:42
Severity
Summary
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
References
| URL | Tags | ||
|---|---|---|---|
| c4f26cc8-17ff-4c99-b5e2-38fc1793eacc | https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237973 | Patch | |
| c4f26cc8-17ff-4c99-b5e2-38fc1793eacc | https://phabricator.wikimedia.org/T416389 | Exploit, Issue Tracking, Vendor Advisory |
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Cargo Extension",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "3.8.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mediawiki:cargo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC55253-9AE6-42A2-8B71-5ED6A28A1DF8",
"versionEndExcluding": "3.8.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7."
}
],
"id": "CVE-2026-39841",
"lastModified": "2026-06-17T10:42:40.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-39841",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T20:32:32.993981Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-04-07T20:16:34.077",
"references": [
{
"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"tags": [
"Patch"
],
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237973"
},
{
"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://phabricator.wikimedia.org/T416389"
}
],
"sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-2MG7-W9R8-29MW
Vulnerability from github – Published: 2026-04-07 21:32 – Updated: 2026-04-16 00:54
VLAI
Details
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Severity
6.1 (Medium)
{
"affected": [],
"aliases": [
"CVE-2026-39841"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T20:16:34Z",
"severity": "MODERATE"
},
"details": "Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.",
"id": "GHSA-2mg7-w9r8-29mw",
"modified": "2026-04-16T00:54:04Z",
"published": "2026-04-07T21:32:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39841"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237973"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T416389"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
WID-SEC-W-2026-1043
Vulnerability from csaf_certbund - Published: 2026-04-09 22:00 - Updated: 2026-04-09 22:00Summary
MediaWiki Erweiterungen: Mehrere Schwachstellen ermöglichen Cross-Site Scripting
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: MediaWiki ist ein freies Wiki, das ursprünglich für den Einsatz auf Wikipedia entwickelt wurde.
Angriff: Ein Angreifer kann mehrere Schwachstellen in MediaWiki Extensions ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source MediaWiki GrowthExperiments Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:growthexperiments_extension
|
GrowthExperiments Extension | |
|
Open Source MediaWiki CampaignEvents Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:campaignevents_extension
|
CampaignEvents Extension | |
|
Open Source MediaWiki ReportIncident Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:reportincident__extension
|
ReportIncident Extension | |
|
Open Source MediaWiki ProofreadPage Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:proofreadpage_extension
|
ProofreadPage Extension | |
|
Open Source MediaWiki Cargo Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:cargo_extension
|
Cargo Extension | |
|
Open Source MediaWiki <1.45.2
Open Source / MediaWiki
|
<1.45.2 | ||
|
Open Source MediaWiki Wikilove Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:wikilove_extension
|
Wikilove Extension | |
|
Open Source MediaWiki Score Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:score_extension
|
Score Extension | |
|
Open Source MediaWiki <1.43.7
Open Source / MediaWiki
|
<1.43.7 | ||
|
Open Source MediaWiki CentralAuth Extension
Open Source / MediaWiki
|
cpe:/a:mediawiki:mediawiki:centralauth__extension
|
CentralAuth Extension | |
|
Open Source MediaWiki <1.44.4
Open Source / MediaWiki
|
<1.44.4 |
References
16 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "MediaWiki ist ein freies Wiki, das urspr\u00fcnglich f\u00fcr den Einsatz auf Wikipedia entwickelt wurde.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in MediaWiki Extensions ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1043 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1043.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1043 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1043"
},
{
"category": "external",
"summary": "MediaWiki Extensions and Skins Security Release Supplement (1.43.7/1.44.4/1.45.2) vom 2026-04-09",
"url": "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/VXEYKT6FNA5NYFPAYU67SNTNBXLTQ4FN/"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19851 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19851"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19889 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19889"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19891 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19891"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19897 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19897"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19927 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19927"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19929 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19929"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-8m8x-w498-p4wx vom 2026-04-09",
"url": "https://github.com/advisories/GHSA-8m8x-w498-p4wx"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19931 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19931"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19976 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19976"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19978 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19978"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19980 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19980"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19982 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19982"
},
{
"category": "external",
"summary": "EU Vulnerability Database EUVD-2026-19984 vom 2026-04-09",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19984"
}
],
"source_lang": "en-US",
"title": "MediaWiki Erweiterungen: Mehrere Schwachstellen erm\u00f6glichen Cross-Site Scripting",
"tracking": {
"current_release_date": "2026-04-09T22:00:00.000+00:00",
"generator": {
"date": "2026-04-10T09:09:08.024+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-1043",
"initial_release_date": "2026-04-09T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-04-09T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.43.7",
"product": {
"name": "Open Source MediaWiki \u003c1.43.7",
"product_id": "T052630"
}
},
{
"category": "product_version",
"name": "1.43.7",
"product": {
"name": "Open Source MediaWiki 1.43.7",
"product_id": "T052630-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:1.43.7"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.44.4",
"product": {
"name": "Open Source MediaWiki \u003c1.44.4",
"product_id": "T052631"
}
},
{
"category": "product_version",
"name": "1.44.4",
"product": {
"name": "Open Source MediaWiki 1.44.4",
"product_id": "T052631-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:1.44.4"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.45.2",
"product": {
"name": "Open Source MediaWiki \u003c1.45.2",
"product_id": "T052632"
}
},
{
"category": "product_version",
"name": "1.45.2",
"product": {
"name": "Open Source MediaWiki 1.45.2",
"product_id": "T052632-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:1.45.2"
}
}
},
{
"category": "product_version",
"name": "Wikilove Extension",
"product": {
"name": "Open Source MediaWiki Wikilove Extension",
"product_id": "T052633",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:wikilove_extension"
}
}
},
{
"category": "product_version",
"name": "ProofreadPage Extension",
"product": {
"name": "Open Source MediaWiki ProofreadPage Extension",
"product_id": "T052634",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:proofreadpage_extension"
}
}
},
{
"category": "product_version",
"name": "Cargo Extension",
"product": {
"name": "Open Source MediaWiki Cargo Extension",
"product_id": "T052635",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:cargo_extension"
}
}
},
{
"category": "product_version",
"name": "ReportIncident Extension",
"product": {
"name": "Open Source MediaWiki ReportIncident Extension",
"product_id": "T052636",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:reportincident__extension"
}
}
},
{
"category": "product_version",
"name": "GrowthExperiments Extension",
"product": {
"name": "Open Source MediaWiki GrowthExperiments Extension",
"product_id": "T052638",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:growthexperiments_extension"
}
}
},
{
"category": "product_version",
"name": "CampaignEvents Extension",
"product": {
"name": "Open Source MediaWiki CampaignEvents Extension",
"product_id": "T052639",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:campaignevents_extension"
}
}
},
{
"category": "product_version",
"name": "Score Extension",
"product": {
"name": "Open Source MediaWiki Score Extension",
"product_id": "T052641",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:score_extension"
}
}
},
{
"category": "product_version",
"name": "CentralAuth Extension",
"product": {
"name": "Open Source MediaWiki CentralAuth Extension",
"product_id": "T052642",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:centralauth__extension"
}
}
}
],
"category": "product_name",
"name": "MediaWiki"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-22711",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-22711"
},
{
"cve": "CVE-2026-30977",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-30977"
},
{
"cve": "CVE-2026-39837",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39837"
},
{
"cve": "CVE-2026-39838",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39838"
},
{
"cve": "CVE-2026-39839",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39839"
},
{
"cve": "CVE-2026-39840",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39840"
},
{
"cve": "CVE-2026-39841",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39841"
},
{
"cve": "CVE-2026-39933",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39933"
},
{
"cve": "CVE-2026-39934",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39934"
},
{
"cve": "CVE-2026-39935",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39935"
},
{
"cve": "CVE-2026-39936",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39936"
},
{
"cve": "CVE-2026-39937",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-39937"
},
{
"cve": "CVE-2026-5762",
"product_status": {
"known_affected": [
"T052638",
"T052639",
"T052636",
"T052634",
"T052635",
"T052632",
"T052633",
"T052641",
"T052630",
"T052642",
"T052631"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-5762"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…