Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation timeline.

This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl.



This issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Published: 2026-07-01
Score: 0 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an Improper Neutralization of Input During Web Page Generation (XSS) that allows an attacker to store malicious javascript URLs within SVG files generated by the EasyTimeline component. When a victim views a compromised timeline, the embedded script can execute in their browser, potentially leading to credential theft, session hijacking, or defacement. The weakness is categorized as CWE‑79.

Affected Systems

The issue targets the Wikimedia Foundation’s timeline extension, affecting all versions prior to 1.46.0 as well as the specific releases 1.45.4, 1.44.6, and 1.43.9. The vulnerability manifests when SVG graphics are rendered by the extension and can impact any user who loads a timeline containing user‑supplied SVG content.

Risk and Exploitability

While no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, the attack vector is likely through user‑controlled SVG uploads or edits. Stored XSS is a high‑risk vulnerability because it persists across sessions and can affect all users who visit a compromised page. Without a CVSS score provided, the risk level remains high due to the potential for widespread compromise, though the precise exploitation probability cannot be quantified from the available data.

Generated by OpenCVE AI on July 2, 2026 at 00:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the timeline extension to version 1.46.0 or later to eliminate the vulnerability.
  • If an immediate upgrade is not possible, enforce strict input validation that removes or escapes javascript: URLs in uploaded SVG files or disable SVG uploads entirely.
  • Deploy a Content Security Policy that blocks inline script execution on pages rendered by the timeline extension.

Generated by OpenCVE AI on July 2, 2026 at 00:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation timeline. This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl. This issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Title Stored XSS through javascript URLs in SVGs generated by EasyTimeline
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-01T15:47:50.725Z

Reserved: 2026-06-27T13:32:41.613Z

Link: CVE-2026-58038

cve-icon Vulnrichment

Updated: 2026-07-01T15:47:47.332Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T01:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')