Description
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Published: 2026-04-07
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch Immediately
AI Analysis

Impact

The Cargo Extension in MediaWiki does not neutralize script‑related HTML tags that can be entered into list fields. When a malicious user saves such content, the script tags are rendered in Cargo pages and the Special:CargoTables view. The injected code executes in the browsers of any visitors to those pages, allowing session hijacking, credential theft or other client‑side attacks. This weakness is a classic cross‑site scripting flaw, matching CWE‑79 and CWE‑80.

Affected Systems

All installations of the MediaWiki Cargo Extension that are older than version 3.8.7 are affected. The issue manifests when list fields are populated with unsanitized user input and the resulting values are displayed on Cargo pages or the special table view. Every user who can view those pages is potentially exposed to the risk.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score is less than 1 % and the vulnerability is not listed in the CISA KEV catalog, implying limited exploitation activity to date. Attackers can exploit the flaw by creating or editing Cargo entries containing malicious script tags through normal web requests; any subsequent viewing of the affected pages will trigger the injected code, making the vulnerability fully stored and easily repeatable.

Generated by OpenCVE AI on April 17, 2026 at 09:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cargo Extension to version 3.8.7 or newer so that script tags are properly neutralized.
  • Restrict or disable write access to list fields that accept script tags, and enforce strict sanitization of any user‑supplied content before it is stored or rendered.
  • Monitor logs and user activity for unexpected changes to Cargo entries and review recently updated pages for suspicious script content.

Generated by OpenCVE AI on April 17, 2026 at 09:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Mediawiki
Mediawiki cargo
Weaknesses CWE-79
CPEs cpe:2.3:a:mediawiki:cargo:*:*:*:*:*:*:*:*
Vendors & Products Mediawiki
Mediawiki cargo
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki-cargo Extension
Vendors & Products Wikimedia
Wikimedia mediawiki-cargo Extension

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
Title Stored XSS through list fields on Cargo's page values and Special:CargoTables
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Mediawiki Cargo
Wikimedia Mediawiki-cargo Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-04-07T20:42:42.588Z

Reserved: 2026-04-07T18:21:12.573Z

Link: CVE-2026-39841

cve-icon Vulnrichment

Updated: 2026-04-07T20:39:22.547Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:34.077

Modified: 2026-04-15T23:42:09.723

Link: CVE-2026-39841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T09:30:14Z

Weaknesses