Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.
Published: 2026-01-08
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

The vulnerability arises from improper neutralization of user‑supplied content in the Monaco skin of MediaWiki, allowing malicious actors to inject and execute arbitrary script code on page loads. This flaw can lead to theft of session cookies, defacement of content, or redirection to phishing sites. The weakness is categorized as CWE‑79 and is considered a classic XSS bug. No denial of service or configuration SQL injection is reported in the official description.

Affected Systems

Vendors and products impacted include The Wikimedia Foundation’s MediaWiki platform when using the Monaco skin. The skin versions explicitly listed—1.45, 1.44, 1.43, and 1.39—are vulnerable. Users running any of those versions should review their deployment of the Monaco skin.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity assessment, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The issue is not listed in CISA’s KEV catalog, further underscoring its limited threat. Attackers would need to attract browsers to a page rendered with the vulnerable skin, which typically involves social engineering or compromised content. Because the flaw resides in the rendering layer and not in authentication or authorization, reach is limited to visitors to affected pages.

Generated by OpenCVE AI on April 18, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Monaco skin to a version that corrects the XSS issue once available; if no fixed release exists, disable or remove the Monaco skin from the MediaWiki installation.
  • Implement strict content‑security‑policy headers to restrict execution of inline scripts and disallow unsafe‑eval.
  • Ensure all user‑generated and i18n strings are properly escaped or encoded before rendering; consider applying a library such as DOMPurify to sanitize output.

Generated by OpenCVE AI on April 18, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Mediawiki
Mediawiki mediawiki
Wikimedia
Wikimedia mediawiki-monaco Skin
Vendors & Products Mediawiki
Mediawiki mediawiki
Wikimedia
Wikimedia mediawiki-monaco Skin

Fri, 09 Jan 2026 00:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.
Title i18n XSS, DoS and config SQLI in Monaco
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mediawiki Mediawiki
Wikimedia Mediawiki-monaco Skin
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-01-09T19:17:41.872Z

Reserved: 2026-01-08T23:23:42.385Z

Link: CVE-2026-22714

cve-icon Vulnrichment

Updated: 2026-01-09T19:17:38.745Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T00:15:46.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses