Description
Improper input validation vulnerability in Wikimedia Foundation UrlShortener.

This vulnerability is associated with program files includes/UrlShortenerUtils.Php.
Published: 2026-07-01
Score: 0 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The UrlShortener extension contains an where user supplied URLs are parsed using PHP’s URL logic rather than the WHATWG parsing standard. This discrepancy can allow malicious URLs to bypass the extension’s validation checks, potentially redirecting visitors to arbitrary destinations. The impact is an open redirect that can be leveraged for. The description does not explicitly state the outcome, but it is inferred from the title and the nature of the validation bypass that redirect can be commanded by an attacker.

Affected Systems

The vulnerable component is the UrlShortener extension released by Wikimedia Foundation. No specific version numbers are listed, so any installation of this extension could be susceptible unless otherwise noted by the vendor. The extension is typically used to create shortened URLs from user‑supplied inputs.

Risk and Exploitability

The CVE lacks an EPSS score and is not listed in the CISA KEV catalog, indicating no publicly documented exploitation at this time. No CVSS score is provided, so the severity is unknown, but the presence of a redirect flaw inherently carries a moderate to high risk of abuse if an attacker can supply crafted URLs. The likely attack vector would involve an attacker creating or persuading a user to visit a shortened URL that is crafted to redirect them to a malicious site. Without further information, the exploitation probability remains uncertain but the potential for phishing makes the vulnerability significant for sites relying on the extension.

Generated by OpenCVE AI on July 2, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or upgrade the UrlShortener extension as documented in Wikimedia Foundation ticket T418533.
  • If no patch is available, disable the extension or restrict its use to trusted users on public‑facing instances.
  • Implement strict server‑side validation of target URLs, using the WHATWG URL standard or a domain whitelist, to ensure only safe redirects can occur.

Generated by OpenCVE AI on July 2, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 01 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description Improper input validation vulnerability in Wikimedia Foundation UrlShortener. This vulnerability is associated with program files includes/UrlShortenerUtils.Php.
Title UrlShortener extension url validation can be bypassed due to difference between php url parsing and WHATWG
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-01T15:44:29.349Z

Reserved: 2026-06-29T13:21:21.798Z

Link: CVE-2026-13706

cve-icon Vulnrichment

Updated: 2026-07-01T15:44:25.402Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T05:30:17Z

Weaknesses
  • CWE-20

    Improper Input Validation