Description
Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed in 2.1.1.
Published: 2026-03-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Bucket extension for MediaWiki, prior to version 2.1.1, contains a stored cross‑site scripting flaw. A malicious actor can insert arbitrary JavaScript into any table field labeled as PAGE, and the script will run whenever a user views the corresponding namespace page. The weakness is a classic stored XSS, classified as CWE‑79, and may allow victim browsers to execute code supplied by the attacker.

Affected Systems

All builds of the MediaWiki extension named Bucket distributed by the vendor weirdgloop are affected if the version is older than 2.1.1. Versions 2.1.1 and later incorporate the fix and are considered safe.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity, while the EPSS score of less than 1 percent suggests a low likelihood of exploitation at present. The vulnerability is not included in the CISA KEV catalog. Exploitation requires an attacker to write data to a PAGE‑type field. The description does not specify required privileges; it is inferred that such writes may require editor or higher access. After the payload is stored, any user who visits the affected namespace page will have the script executed.

Generated by OpenCVE AI on April 18, 2026 at 09:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bucket extension to version 2.1.1 or newer.
  • If an upgrade is not immediately possible, revoke write permissions on Bucket tables for users with editor or lower privileges to stop malicious content insertion.
  • Add an input‑validation or sanitization layer on writes to Bucket namespace pages so that script code is not stored or rendered.

Generated by OpenCVE AI on April 18, 2026 at 09:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Weirdgloop
Weirdgloop mediawiki-extensions-bucket
Vendors & Products Weirdgloop
Weirdgloop mediawiki-extensions-bucket
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed in 2.1.1.
Title Stored XSS on Bucket namespace pages
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L'}

Subscriptions

Weirdgloop Mediawiki-extensions-bucket
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T13:52:52.786Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30917

cve-icon Vulnrichment

Updated: 2026-03-10T13:52:49.182Z

cve-icon NVD

Status : Deferred

Published: 2026-03-10T17:40:15.517

Modified: 2026-04-16T14:45:19.723

Link: CVE-2026-30917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses