Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation SyntaxHighlight_GeSHi.

This vulnerability is associated with program files includes/SyntaxHighlight.Php.



This issue affects SyntaxHighlight_GeSHi: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Published: 2026-07-01
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Vulnerability is an Improper Neutralization of Input During Web Page Generation (XSS) flaw found in Wikimedia Foundation’s SyntaxHighlight_GeSHi component. An attacker can supply a value for the extended "linelinks" attribute that is stored and later rendered unescaped, allowing malicious JavaScript to persistently execute within an authenticated user’s browser. This stored XSS can be used to hijack user sessions, deface content, or exfiltrate sensitive data, affecting confidentiality and integrity for users of the affected application.

Affected Systems

The issue appears in Wikimedia Foundation SyntaxHighlight_GeSHi, specifically versions prior to 1.46.0 and the releases 1.45.4, 1.44.6, and 1.43.9. All earlier releases are also vulnerable. The vulnerability arises in files related to SyntaxHighlight.Php.

Risk and Exploitability

The CVSS score of 5.3 places the flaw in the moderate severity range. No EPSS score is available, so the probability of exploitation cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog, so no known widespread exploitation has been documented. The likely attack path requires an attacker to inject malicious content via the "linelinks" attribute into a page or data field that is processed and stored by SyntaxHighlight_GeSHi, implying that the ability to craft the input is a prerequisite. Attacker impact would be confined to the affected user’s session and any downstream users who view the compromised content.

Generated by OpenCVE AI on July 2, 2026 at 05:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SyntaxHighlight_GeSHi to version 1.46.0 or later, which removes the vulnerable handling of the linelinks attribute.
  • If an upgrade is not immediately possible, configure the system to strip or reject the linelinks attribute from user input before it is stored or rendered.
  • Implement output encoding for all dynamic output generated by SyntaxHighlight_GeSHi to ensure that user supplied data is properly escaped as per CWE‑79 best practices.

Generated by OpenCVE AI on July 2, 2026 at 05:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation SyntaxHighlight_GeSHi. This vulnerability is associated with program files includes/SyntaxHighlight.Php. This issue affects SyntaxHighlight_GeSHi: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Title SyntaxHighlight stored XSS via unsanitized 'linelinks' attribute
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-01T15:48:58.797Z

Reserved: 2026-06-27T13:32:37.577Z

Link: CVE-2026-58030

cve-icon Vulnrichment

Updated: 2026-07-01T15:48:54.831Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T05:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')