Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.
Published: 2026-04-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that can execute JavaScript in the context of a logged‑in user, potentially compromising confidential data and session integrity.
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper neutralization of user input during web page generation in the GlobalWatchlist Extension. This flaw enables a malicious actor to inject and execute arbitrary JavaScript, which could lead to data theft, phishing, or manipulation of the user experience. The weakness is identified as a reflected XSS, providing attackers with the means to compromise confidentiality and integrity of affected users.

Affected Systems

The impact is limited to installations of MediaWiki that use the GlobalWatchlist Extension, specifically those running MediaWiki versions 1.43, 1.44, or 1.45. Systems that have upgraded to these release branches or the master branch are not affected. Older or unpatched installations remain vulnerable.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate to high risk, yet the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, which again points to a lower likelihood of widespread attacks. Attackers could exploit the flaw by delivering a crafted watchlist entry or link containing malicious script to a victim, who would then execute it in their browser. Fixing the input sanitization in the removes the attack surface.

Generated by OpenCVE AI on April 8, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GlobalWatchlist Extension to the patched version on the master branch or the release branches for MediaWiki 1.43, 1.44, and 1.45.
  • Upgrade MediaWiki core to the latest stable release that includes this patch.
  • Verify that the site no longer reflects injected scripts by testing with a harmless payload and review access logs for suspicious activity.

Generated by OpenCVE AI on April 8, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS).This issue affects non release branches. Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

 cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki - Globalwatchlist Extension
Vendors & Products Wikimedia
Wikimedia mediawiki - Globalwatchlist Extension

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS).This issue affects non release branches.
Title Multiple XSS vulnerabilities in GlobalWatchlist
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Wikimedia Mediawiki - Globalwatchlist Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-04-08T22:00:59.635Z

Reserved: 2026-04-07T21:25:36.589Z

Link: CVE-2026-39933

cve-icon Vulnrichment

Updated: 2026-04-08T15:22:02.671Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T22:16:23.980

Modified: 2026-04-08T22:16:22.153

Link: CVE-2026-39933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:28:38Z

Weaknesses