Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.
The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.
Published: 2026-04-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (client side)
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises when the ProofreadPage Extension does not fully neutralize CSS input, allowing attackers to inject malicious code into page rendering. The weakness corresponds to CWE‑79, enabling cross‑site scripting that can execute arbitrary scripts in the context of a victim user, potentially leading to session hijacking, data theft, or defacement.

Affected Systems

The issue affects Wikimedia Foundation MediaWiki installations that use the ProofreadPage Extension. Versions before MediaWiki 1.43 are vulnerable; patches are available on the master branch and in the release branches for MediaWiki 1.43, 1.44 and 1.45.

Risk and Exploitability

With a CVSS score of 6.9 the risk is moderate to high, but the EPSS indicates a very low likelihood of exploitation (<1%). The vulnerability is not listed in CISA’s KEV catalog. Attackers could exploit it by inserting malicious CSS into content processed by the extension, which will be rendered in the browsers of all users who view the affected page.

Generated by OpenCVE AI on April 8, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MediaWiki installation to a patched release (1.43, 1.44, or 1.45) or apply the master branch fixes
  • If upgrading is not immediately possible, consider disabling the ProofreadPage Extension or removing unsanitized multiline styles until a patch can be applied

Generated by OpenCVE AI on April 8, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki-proofreadpage Extension
Vendors & Products Wikimedia
Wikimedia mediawiki-proofreadpage Extension

Wed, 08 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.This issue affects . Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.This issue affects .
Title ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Wikimedia Mediawiki-proofreadpage Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-04-08T18:48:41.035Z

Reserved: 2026-04-07T18:21:12.573Z

Link: CVE-2026-39838

cve-icon Vulnrichment

Updated: 2026-04-07T20:40:11.397Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T20:16:33.477

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-39838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:28:41Z

Weaknesses