Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files resources/src/mediawiki.Special.Block/SpecialBlock.Vue.
Published: 2026-07-01
Score: 0 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Stored XSS flaw in Wikimedia Foundation MediaWiki, where a message added or edited through Special:Block is not properly neutralized when rendered on a page. The flaw allows an attacker to embed malicious JavaScript that will execute whenever a user views the block page, potentially hijacking the user's session, stealing credentials, or defacing content. The weakness is identified as CWE‑79 and represents an integrity and confidentiality compromise for any affected user who views the compromised page.

Affected Systems

The affected product is MediaWiki from the Wikimedia Foundation. Version information is not specified in the CVE data, so any deployment of MediaWiki that still hosts the vulnerable special block message handling code is at risk. Administrators must determine if their installed version includes the patch that eliminates the improper input sanitization.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable, so the exact risk level cannot be quantified from the public data. However, stored XSS vulnerabilities typically carry moderate to high severity, with the risk of exploitation depending on the accessibility of the Special:Block interface and the permissions of the users interacting with it. Since the vulnerability is not listed in CISA’s KEV catalog, there is no evidence of known active exploitation at this time, but the attack vector inferred from the description suggests that privileged users or those able to edit system messages could introduce malicious content.

Generated by OpenCVE AI on July 1, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MediaWiki to the latest version that resolves the stored XSS flaw in Special:Block.
  • If an immediate patch is unavailable, restrict editing rights on system messages to trusted administrators only and audit existing messages for suspicious content.
  • Apply output escaping or sanitization to system messages in the template code to neutralize potential script payloads.

Generated by OpenCVE AI on July 1, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Block/SpecialBlock.Vue.
Title Stored XSS through a system message in the codex version of Special:Block
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-01T14:54:43.230Z

Reserved: 2026-06-27T13:32:41.613Z

Link: CVE-2026-58035

cve-icon Vulnrichment

Updated: 2026-07-01T14:54:38.460Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T16:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')