Description
Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery.

This issue affects Mediawiki - RedirectManager Extension: from * before 1.3.3.
Published: 2026-07-01
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw that allows an attacker to forge requests from a victim who is authenticated to the MediaWiki system. The flaw arises in the RedirectManager Extension before version 1.3.3 and is categorized as CWE‑352. If exploited, an attacker could perform actions such as creating or modifying redirects without the victim’s consent, potentially disrupting site navigation or spreading misinformation. The CVSS score of 6.9 indicates moderate risk, but the absence of a KEV listing and an EPSS score suggests it has not yet been widely abused.

Affected Systems

The flaw affects the Wikimedia Foundation MediaWiki RedirectManager Extension in all releases prior to 1.3.3. Users running an older version of this extension on their MediaWiki installation are potentially exposed to CSRF attacks.

Risk and Exploitability

With a CVSS score of 6.9 the vulnerability carries moderate severity. No EPSS score is available, indicating the exact exploitation probability cannot be quantified, and the flaw is not listed in CISA’s KEV catalog. Attackers would target users who are logged in and who open or interact with a crafted URL that submits a state‑changing request through the vulnerable extension. Because the flaw does not involve privilege escalation or remote code execution, the overall impact is limited to unauthorized content manipulation, but it remains a tangible threat to site integrity.

Generated by OpenCVE AI on July 1, 2026 at 08:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RedirectManager Extension to version 1.3.3 or later, applying the latest security patch from the Wikimedia Foundation.
  • Ensure that all forms and actions handled by the extension include anti‑CSRF tokens and that the server validates these tokens on submission.
  • If an upgrade is not possible immediately, disable or remove the RedirectManager Extension until the fix is deployed, and monitor the site for any suspicious cross‑site request attempts.

Generated by OpenCVE AI on July 1, 2026 at 08:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Title Cross-Site Request Forgery in MediaWiki RedirectManager Extension

Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Description Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery. This issue affects Mediawiki - RedirectManager Extension: from * before 1.3.3.
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-01T03:52:29.450Z

Reserved: 2026-07-01T03:40:44.769Z

Link: CVE-2026-58518

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T08:45:15Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)