Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.
Published: 2026-01-08
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows stored cross‑site scripting in autocomment system messages within the Wikibase extension. An attacker can inject malicious JavaScript that will run in the browsers of any user who views an autocomment, potentially enabling phishing, cookie theft, or defacement. The weakness is described as an improper neutralization of input during web page generation and is identified by CWE‑79.

Affected Systems

The Wikimedia Foundation’s Mediawiki Wikibase Extension is affected. Versions 1.39, 1.43, 1.44, and 1.45 contain the flaw. Users running any of these releases are at risk if autocomment messages are displayed to community members.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1 % shows a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, requiring the attacker to deliver a payload that will be stored and later displayed as an autocomment. No public exploits have been reported, but the low scoring reflects limited impact if a directly affected user is compromised. Given the low probability, immediate remediation is still recommended to prevent potential phishing or defacement attacks.

Generated by OpenCVE AI on April 18, 2026 at 07:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mediawiki Wikibase Extension to the latest version that fixes the stored XSS flaw.
  • If an upgrade is not immediately possible, configure the extension or server to automatically sanitize or remove untrusted content from autocomment system messages before they are rendered.
  • Continuously monitor user activity for signs of script injection or abnormal comment behavior and apply additional input validation if the feature remains enabled.

Generated by OpenCVE AI on April 18, 2026 at 07:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia wikibase
CPEs cpe:2.3:a:wikimedia:wikibase:1.39:*:*:*:*:mediawiki:*:*
cpe:2.3:a:wikimedia:wikibase:1.43:*:*:*:*:mediawiki:*:*
cpe:2.3:a:wikimedia:wikibase:1.44:*:*:*:*:mediawiki:*:*
cpe:2.3:a:wikimedia:wikibase:1.45:*:*:*:*:mediawiki:*:*
Vendors & Products Wikimedia wikibase
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 09 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Mediawiki
Mediawiki mediawiki
Wikimedia
Wikimedia mediawiki-wikibase Extension
Vendors & Products Mediawiki
Mediawiki mediawiki
Wikimedia
Wikimedia mediawiki-wikibase Extension

Fri, 09 Jan 2026 00:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.
Title Stored XSS through autocomment system messages in Wikibase
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mediawiki Mediawiki
Wikimedia Mediawiki-wikibase Extension Wikibase
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-01-09T19:16:54.193Z

Reserved: 2026-01-08T23:23:42.385Z

Link: CVE-2026-22710

cve-icon Vulnrichment

Updated: 2026-01-09T19:16:51.483Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T00:15:45.693

Modified: 2026-02-12T17:50:39.720

Link: CVE-2026-22710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses