Description
Cross-Site Scripting (XSS) vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Published: 2026-04-21
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting allowing theft of session cookies and unauthorized actions
Action: Patch
AI Analysis

Impact

Cross‑Site Scripting (XSS) is reflected in the Semantic MediaWiki application. By sending a victim a specially crafted URL that includes malicious JavaScript in the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter, an attacker can run code in the victim’s browser. This can lead to theft of session cookies, privilege escalation or other actions performed with the victim’s credentials.

Affected Systems

Semantic MediaWiki, any release earlier than 5.0.2, is vulnerable. Versions 5.0.2 and newer contain the fix.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating moderate severity. No EPSS score is reported and it is not listed in the CISA KEV catalog, but the exploit is straightforward: an attacker only needs to embed the malicious payload in a URL that the victim visits. The attack does not require authentication and can be performed from any network, making it a classic reflected XSS risk.

Generated by OpenCVE AI on April 21, 2026 at 22:46 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by the Semantic MediaWiki team in version 5.0.2.

OpenCVE Recommended Actions

  • Update Semantic MediaWiki to version 5.0.2 or later to apply the vendor patch.
  • Educate users to avoid clicking on unknown or suspicious links that target the affected endpoint.
  • If patching cannot be performed immediately, block or disable the '/index.php/Speciaal:GefacetteerdZoeken' endpoint via web server or application configuration, or apply a WAF rule to reject script payloads in query parameters.

Generated by OpenCVE AI on April 21, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Semantic-mediawiki
Semantic-mediawiki semantic Mediawiki
Vendors & Products Semantic-mediawiki
Semantic-mediawiki semantic Mediawiki

Tue, 21 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Title Reflected Cross-Site Scripting (XSS) in Semantic MediaWiki
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Semantic-mediawiki Semantic Mediawiki
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-21T19:25:40.964Z

Reserved: 2025-09-12T10:35:06.340Z

Link: CVE-2025-10354

cve-icon Vulnrichment

Updated: 2026-04-21T19:24:34.336Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T15:16:34.290

Modified: 2026-04-21T16:20:24.180

Link: CVE-2025-10354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:00:03Z

Weaknesses