Description
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Published: 2026-04-07
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS causing arbitrary client‑side script execution
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the Cargo extension for MediaWiki. The flaw arises from inadequate neutralization of script‑related HTML tags in the dynamic table format, allowing an attacker to embed malicious JavaScript that is later rendered in a wiki page. Exploited malicious code executes in the victim’s browser, potentially enabling credential theft, defacement, or redirection.

Affected Systems

This issue affects the Wikimedia Foundation’s MediaWiki Cargo Extension, versions older than 3.8.7. The vulnerable component is the dynamic table feature where data entered by users is displayed without proper filtering. No other mediawiki components were identified as affected in the advisory.

Risk and Exploitability

The CVSS base score is 6.3, indicating moderate risk. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker can inject malicious scripts via the dynamic table entries, which are then displayed to all users who view the page. The flaw resides on the client side, so no privileged access is required to exploit. The lack of a public exploit and moderate score suggest the risk is present but moderate, making timely patching prudent.

Generated by OpenCVE AI on April 7, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cargo Extension update to a version 3.8.7 or later
  • Restrict permission to edit Cargo tables to trusted users only
  • Monitor for unexpected script behavior and user reports of abnormal page activity

Generated by OpenCVE AI on April 7, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mediawiki
Mediawiki cargo
CPEs cpe:2.3:a:mediawiki:cargo:*:*:*:*:*:*:*:*
Vendors & Products Mediawiki
Mediawiki cargo
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki-cargo Extension
Vendors & Products Wikimedia
Wikimedia mediawiki-cargo Extension

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Title Stored XSS through the dynamic table format in Cargo
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Mediawiki Cargo
Wikimedia Mediawiki-cargo Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-04-07T20:42:42.016Z

Reserved: 2026-04-07T18:21:12.572Z

Link: CVE-2026-39837

cve-icon Vulnrichment

Updated: 2026-04-07T20:38:58.303Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:33.307

Modified: 2026-04-15T23:51:37.763

Link: CVE-2026-39837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:23:05Z

Weaknesses