← Back to home
wid-sec-w-2026-1043  ·  Published 2026-04-09  ·  View on BSI CERT-Bund ↗

MediaWiki Erweiterungen: Multiple Vulnerabilities allow Cross-Site Scripting

CVSS N/A NONE

Risk Summary

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This vulnerability is fixed in 0.1.1. Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7. Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

CVEs (13)

Affected Vendors

Open Source

Affected Products (14)

Open Source · MediaWiki <1.43.7
Open Source · MediaWiki 1.43.7
Open Source · MediaWiki <1.44.4
Open Source · MediaWiki 1.44.4
Open Source · MediaWiki <1.45.2
Open Source · MediaWiki 1.45.2
Open Source · MediaWiki Wikilove Extension
Open Source · MediaWiki ProofreadPage Extension
Open Source · MediaWiki Cargo Extension
Open Source · MediaWiki ReportIncident Extension
Open Source · MediaWiki GrowthExperiments Extension
Open Source · MediaWiki CampaignEvents Extension
Open Source · MediaWiki Score Extension
Open Source · MediaWiki CentralAuth Extension

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more