Description
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Published: 2026-04-07
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability arises from an improper neutralization of script‑related HTML tags when URLs are embedded in the Cargo Extension’s map format. As a result, malicious JavaScript can be stored and rendered to users who view the affected page. This allows an attacker to execute code in the context of the site, potentially compromising user data and site integrity.

Affected Systems

MediaWiki Cargo Extension versions prior to 3.8.7 are affected. Sites running these older releases are at risk if Cargo data can be edited or submitted by users.

Risk and Exploitability

The CVSS score of 6.3 reflects moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker who can submit or modify Cargo data, causing the stored XSS payload to be displayed to other users.

Generated by OpenCVE AI on April 7, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cargo Extension update (v3.8.7 or later).
  • If an update cannot be applied immediately, implement a temporary sanitization rule that escapes or removes script tags from URLs stored in Cargo maps.
  • Review and sanitize existing Cargo data to remove any stored script tags.

Generated by OpenCVE AI on April 7, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mediawiki
Mediawiki cargo
CPEs cpe:2.3:a:mediawiki:cargo:*:*:*:*:*:*:*:*
Vendors & Products Mediawiki
Mediawiki cargo
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki-cargo Extension
Vendors & Products Wikimedia
Wikimedia mediawiki-cargo Extension

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Title Stored XSS through URLs in Cargo's map format
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Mediawiki Cargo
Wikimedia Mediawiki-cargo Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-04-07T20:42:43.130Z

Reserved: 2026-04-07T18:21:12.573Z

Link: CVE-2026-39839

cve-icon Vulnrichment

Updated: 2026-04-07T20:39:58.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:33.773

Modified: 2026-04-15T23:50:15.143

Link: CVE-2026-39839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:23:08Z

Weaknesses