CVE-2026-22710
Unknown Unknown - Not Provided
Cross-Site Scripting in Mediawiki Wikibase Extension

Publication date: 2026-01-09

Last updated on: 2026-02-12

Assigner: wikimedia-foundation

Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-01-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22710
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
wikimedia wikibase 1.39
wikimedia wikibase 1.43
wikimedia wikibase 1.44
wikimedia wikibase 1.45
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22710 is a stored cross-site scripting (XSS) vulnerability in the Wikibase extension of MediaWiki. It occurs because system messages are inserted into autocomments as parsed HTML without proper escaping, allowing an attacker to inject malicious HTML or JavaScript. Specifically, the vulnerability exploits how wiki link syntax inside HTML element attributes is processed, enabling injection of arbitrary code. This affects system messages starting with 'wikibase-entity-summary-' and similar ones. The exploit requires certain conditions and mainly impacts users with elevated privileges. [1]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of the MediaWiki site by injecting malicious code into autocomments via system messages. This can lead to unauthorized actions such as session hijacking, privilege escalation, or other malicious activities affecting users with elevated privileges (e.g., sysops). However, the impact is limited because unprivileged users cannot exploit it since 2017 due to prior fixes. [1]

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious HTML or JavaScript payloads in autocomments generated by the FormatAutocomments hook, especially in system messages starting with "wikibase-entity-summary-" and similar prefixes. One practical approach is to review the content of system messages and autocomments for unescaped wiki link syntax inside HTML attributes. Specific commands are not provided in the resources, but manual inspection of the MediaWiki system messages and recent edit summaries (e.g., via Special:RecentChanges) for suspicious payloads like <pre tabindex="0" data-xss="[[#/autofocus/onfocus=alert(1);//">]]</pre> can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include applying the patches developed to escape system messages before inserting them into autocomments, which have been deployed in November 2025 and January 2026 across multiple branches (REL1_43, REL1_44, REL1_45, and master). If patching is not immediately possible, reviewing and sanitizing system messages to remove or escape wiki link syntax inside HTML attributes can reduce risk. Additionally, restricting privileges to trusted users and monitoring edit summaries for suspicious content can help mitigate impact until patches are applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22710. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart