Description
Vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.



This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Published: 2026-05-11
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In MediaWiki the action=raw handler is meant to return the raw contents of a subpage. The vulnerability causes the server to respond with a Content‑Type header of text/html when the request header indicates text/javascript, allowing the browser to interpret injected JavaScript as executable code. This misreporting of the MIME type can facilitate cross‑site scripting attacks. The flaw originates in the ActionEntryPoint and FauxResponse components that build the HTTP response and is classified as a representation error (CWE‑668).

Affected Systems

All MediaWiki releases older than 1.43.7, 1.44.4, or 1.45.2 are affected. Sites that enable the action=raw feature for user‑controlled subpages are at risk, regardless of whether the attacker is authenticated or not.

Risk and Exploitability

No CVSS or EPSS scores are publicly available, and the vulnerability is not listed in CISA KEV. The attack vector is a straightforward HTTP request to Special:Mypage?action=raw with the content‑type header set to text/javascript and a subpage title that contains malicious payload. An attacker can supply arbitrary titles, leading to the server delivering the payload under a text/html type, thereby enabling XSS. While no public exploits have been reported, the combination of user‑controlled subpage names, the action=raw feature, and the MIME type mismatch presents a realistic threat.

Generated by OpenCVE AI on May 11, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MediaWiki to version 1.45.2 or later to receive the official fix that corrects the Content‑Type header for action=raw requests.
  • If an immediate upgrade is not possible, disable or restrict the action=raw feature for publicly accessible subpages, or configure the web server to enforce strict Content‑Type matching and reject requests where the requested MIME type does not match the supplied Content‑Type header.
  • Sanitize subpage titles to remove or escape characters that could form script tags, reducing the chance that a MIME type mismatch will result in executable code.

Generated by OpenCVE AI on May 11, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6208-1 mediawiki security update
References
Link Providers
https://phabricator.wikimedia.org/T419192 cve-icon cve-icon
History

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki
Vendors & Products Wikimedia
Wikimedia mediawiki

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Title action=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript request
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wikimedia Mediawiki
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-05-11T18:04:03.036Z

Reserved: 2026-03-25T17:15:46.522Z

Link: CVE-2026-34095

cve-icon Vulnrichment

Updated: 2026-05-11T18:03:55.209Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T18:16:32.223

Modified: 2026-05-12T14:45:49.820

Link: CVE-2026-34095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:00:15Z

Weaknesses