Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Published: 2026-04-07
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Cargo Extension in MediaWiki fails to fully neutralize user‑supplied input when generating web pages, resulting in a cross‑site scripting (XSS) flaw that targets non‑script elements such as CSS. An attacker who can insert content into a Cargo query or view can cause victim browsers to execute arbitrary JavaScript, which may lead to theft of authentication cookies, defacement of pages, or redirection to malicious sites. The vulnerability remains until the extension reaches version 3.8.7, when input handling is corrected.

Affected Systems

All installations of the MediaWiki Cargo Extension deploying a version older than 3.8.7 are potentially vulnerable. This includes many community and enterprise wikis that rely on Cargo for custom database queries and display formats.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS score is reported, and the flaw is not part of the CISA Known Exploited Vulnerabilities catalogue, suggesting limited current exploitation data. However, the web‑based nature and lack of data sanitisation mean that an attacker can exercise the flaw by crafting a malicious Cargo query or by enabling an attacker‑controlled content block, a straightforward attack path for a determined adversary.

Generated by OpenCVE AI on April 7, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cargo Extension update (version 3.8.7 or newer).
  • Verify that the patch has been applied by checking the extension version on the wiki’s administration page.
  • If an immediate update is not possible, disable the Cargo Extension or restrict its access to trusted users until the vulnerability is resolved.

Generated by OpenCVE AI on April 7, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Mediawiki
Mediawiki cargo
CPEs cpe:2.3:a:mediawiki:cargo:*:*:*:*:*:*:*:*
Vendors & Products Mediawiki
Mediawiki cargo
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki-cargo Extension
Vendors & Products Wikimedia
Wikimedia mediawiki-cargo Extension

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Title CSS injection in multiple Cargo display formats
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mediawiki Cargo
Wikimedia Mediawiki-cargo Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-04-07T20:42:42.943Z

Reserved: 2026-04-07T18:21:12.573Z

Link: CVE-2026-39840

cve-icon Vulnrichment

Updated: 2026-04-07T20:39:46.695Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:33.923

Modified: 2026-04-15T23:43:46.023

Link: CVE-2026-39840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:23:07Z

Weaknesses