Impact
The vulnerability is an improper neutralization of input during web page generation that allows inserted HTML fragments to be returned unescaped by the API call mw.Api.getErrorMessage(). This is a classic cross‑site scripting (CWE‑79) flaw that can cause malicious code execution in the context of a victim’s browser when the unescaped error message is rendered in a web page.
Affected Systems
The issue affects the Wikimedia Foundation MediaWiki system. Any installation of MediaWiki prior to release 1.46.0, 1.45.4, 1.44.6, or 1.43.9 is vulnerable.
Risk and Exploitability
The CVSS score of 5.3 indicates a medium severity, and the EPSS score is not available, so the likelihood of exploitation is uncertain but it is not listed in CISA’s KEV catalog. The flaw is client‑side; an attacker would need to supply a crafted request to the API endpoint that triggers the unescaped error message, which will then be rendered in a user’s browser as HTML. Without mitigations, a malicious actor could inject script payloads that execute in the context of the site with the privileges of the logged‑in user.
OpenCVE Enrichment