Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39.
Published: 2026-01-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via system messages that can compromise users’ confidentiality and integrity in MediaWiki ProofreadPage
Action: Patch Now
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that occurs when a system message incorporates a user‑provided parameter without proper escaping. An attacker can inject malicious scripts that will be executed in the context of any user who views the affected page, potentially allowing data theft, session hijacking, or defacement of the site. The weakness is identified as CWE‑79, representing an improper neutralization of input during web page generation.

Affected Systems

MediaWiki ProofreadPage Extension versions 1.39, 1.43, 1.44, and 1.45 from the Wikimedia Foundation are affected. Any installation of these extensions that allows the creation or modification of system messages is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS is reported as less than 1 %, reflecting a low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalogue. Based on the description, the likely attack vector is an attacker who has the ability to create or edit system messages. Once injected, the malicious payload will be stored and served to all users, making it a potentially widespread threat within the affected installation.

Generated by OpenCVE AI on April 18, 2026 at 07:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProofreadPage to the latest version that contains the fix for this stored XSS issue
  • Restrict editing of system messages to highly trusted users or administrators, and enforce code reviews for changes
  • Sanitize and escape any user‑provided parameters before incorporating them into system messages to prevent script injection
  • Implement a Content‑Security‑Policy header that disallows inline scripts and limits executable JavaScript to approved sources

Generated by OpenCVE AI on April 18, 2026 at 07:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Wikisource
Wikisource proofread Page
CPEs cpe:2.3:a:wikisource:proofread_page:1.39:*:*:*:*:mediawiki:*:*
cpe:2.3:a:wikisource:proofread_page:1.43:*:*:*:*:mediawiki:*:*
cpe:2.3:a:wikisource:proofread_page:1.44:*:*:*:*:mediawiki:*:*
cpe:2.3:a:wikisource:proofread_page:1.45:*:*:*:*:mediawiki:*:*
Vendors & Products Wikisource
Wikisource proofread Page

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mediawiki
Mediawiki mediawiki
Wikimedia
Wikimedia mediawiki-proofreadpage Extension
Vendors & Products Mediawiki
Mediawiki mediawiki
Wikimedia
Wikimedia mediawiki-proofreadpage Extension

Wed, 07 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39.
Title Stored XSS through a system message and a user-provided parameter in ProofreadPage
Weaknesses CWE-79
References

Subscriptions

Mediawiki Mediawiki
Wikimedia Mediawiki-proofreadpage Extension
Wikisource Proofread Page
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-01-07T19:25:36.796Z

Reserved: 2026-01-07T16:35:04.806Z

Link: CVE-2026-0670

cve-icon Vulnrichment

Updated: 2026-01-07T19:25:08.156Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T19:15:56.203

Modified: 2026-02-23T18:40:17.617

Link: CVE-2026-0670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses