Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.

This issue affects Mediawiki - Cargo Extension: from * before 3.9.1.
Published: 2026-07-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the Cargo extension leads to stored cross‑site scripting, allowing an attacker to inject and persist malicious scripts that run in the context of any user who views the affected page. This can enable credential theft, session hijacking, defacement and other client‑side attacks, leveraging the well‑known CWE‑79 weakness.

Affected Systems

The vulnerability affects the Wikimedia Foundation MediaWiki Cargo Extension in all releases earlier than 3.9.1, including the 3.8.x series and the very early 3.9 versions. Any MediaWiki installation that includes this extension is potentially exposed.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity, and the EPSS score is currently unavailable, so the likelihood of widespread exploitation is uncertain. The extension is not listed in CISA’s KEV catalog. Exploitation requires the ability to store data in the Cargo map format, which, based on the description, it is inferred that requires content‑editing or higher permissions. Since the vulnerability is stored, a single injection will persist until the data is removed, providing a persistent attack vector.

Generated by OpenCVE AI on July 1, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Cargo Extension to version 3.9.1 or later, which contains the required input sanitization fix.
  • If an immediate update is not possible, remove or disable the Cargo Extension from the MediaWiki installation to eliminate the vulnerable code path.
  • Restrict write permissions for Cargo data so that only trusted users can add or modify entries, reducing the chance an attacker can inject malicious content.

Generated by OpenCVE AI on July 1, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS. This issue affects Mediawiki - Cargo Extension: from * before 3.9.1.
Title Stored XSS through Cargo's map format
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:A'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-01T12:29:57.811Z

Reserved: 2026-07-01T03:40:44.769Z

Link: CVE-2026-58519

cve-icon Vulnrichment

Updated: 2026-07-01T12:29:48.092Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T15:15:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')