Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files resources/src/mediawiki.Api/index.Js.



This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Published: 2026-07-01
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows inserted HTML fragments to be returned unescaped by the API call mw.Api.getErrorMessage(). This is a classic cross‑site scripting (CWE‑79) flaw that can cause malicious code execution in the context of a victim’s browser when the unescaped error message is rendered in a web page.

Affected Systems

The issue affects the Wikimedia Foundation MediaWiki system. Any installation of MediaWiki prior to release 1.46.0, 1.45.4, 1.44.6, or 1.43.9 is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, and the EPSS score is not available, so the likelihood of exploitation is uncertain but it is not listed in CISA’s KEV catalog. The flaw is client‑side; an attacker would need to supply a crafted request to the API endpoint that triggers the unescaped error message, which will then be rendered in a user’s browser as HTML. Without mitigations, a malicious actor could inject script payloads that execute in the context of the site with the privileges of the logged‑in user.

Generated by OpenCVE AI on July 2, 2026 at 00:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MediaWiki to a fixed release—1.46.0, 1.45.4, 1.44.6, or 1.43.9 or newer.
  • When the upgrade cannot be performed immediately, enforce the errorformat=html query parameter on all API calls that could return error messages to ensure output is properly escaped.
  • Audit custom extensions and scripts that use mw.Api.getErrorMessage() to verify that output is appropriately sanitized or that the API parameter is set, preventing unescaped HTML from being served to browsers.

Generated by OpenCVE AI on July 2, 2026 at 00:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 01 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki
Vendors & Products Wikimedia
Wikimedia mediawiki

Wed, 01 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Api/index.Js. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Title mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Wikimedia Mediawiki
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-01T15:48:38.393Z

Reserved: 2026-06-27T13:32:37.577Z

Link: CVE-2026-58032

cve-icon Vulnrichment

Updated: 2026-07-01T15:48:32.793Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T01:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')