Description
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.

This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.
Published: 2026-07-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements used in an SQL command ('SQL injection') allows an attacker to inject arbitrary SQL into queries executed by the MediaWiki Cargo Extension, potentially enabling data exfiltration, unauthorized data modification, or credential compromise. This weakness is classified as CWE‑89 and can affect the confidentiality, integrity, and availability of the underlying database if exploited.

Affected Systems

The Wikimedia Foundation MediaWiki Cargo Extension versions prior to 1.43.9, 1.44.6, and 1.45.4 are affected. Users running any of these older releases on their wiki sites are vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. The EPSS score is not available, so the likelihood of exploitation remains uncertain, and the issue is not listed in the C vectorDrilldown page where unfiltered input can be supplied, allowing database credentials have sufficient privileges.

Generated by OpenCVE AI on July 2, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cargo Extension to a version that includes the fix (≥1.43.9, 1.44.6, or 1.45.4 depending on your release), which removes the unsanitized input handling.
  • If an upgrade cannot be performed immediately, restrict access to the Special:Drilldown page to trusted users or block the page entirely using IP or authentication rules to prevent unauthorized requests.
  • Apply the code changes from the Gerrit commits.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1269701 and https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1279498) and ensure that all user-supplied parameters are validated and escaped before inclusion in SQL statements.

Generated by OpenCVE AI on July 2, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.
Title Cargo Extension: SQLi in Special:Drilldown
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-02T13:10:36.142Z

Reserved: 2026-07-01T19:17:15.130Z

Link: CVE-2026-14363

cve-icon Vulnrichment

Updated: 2026-07-02T13:10:30.301Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T13:00:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')