CVE-2026-22710
Cross-Site Scripting in Mediawiki Wikibase Extension
Publication date: 2026-01-09
Last updated on: 2026-02-12
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia | wikibase | 1.39 |
| wikimedia | wikibase | 1.43 |
| wikimedia | wikibase | 1.44 |
| wikimedia | wikibase | 1.45 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22710 is a stored cross-site scripting (XSS) vulnerability in the Wikibase extension of MediaWiki. It occurs because system messages are inserted into autocomments as parsed HTML without proper escaping, allowing an attacker to inject malicious HTML or JavaScript. Specifically, the vulnerability exploits how wiki link syntax inside HTML element attributes is processed, enabling injection of arbitrary code. This affects system messages starting with 'wikibase-entity-summary-' and similar ones. The exploit requires certain conditions and mainly impacts users with elevated privileges. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of the MediaWiki site by injecting malicious code into autocomments via system messages. This can lead to unauthorized actions such as session hijacking, privilege escalation, or other malicious activities affecting users with elevated privileges (e.g., sysops). However, the impact is limited because unprivileged users cannot exploit it since 2017 due to prior fixes. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious HTML or JavaScript payloads in autocomments generated by the FormatAutocomments hook, especially in system messages starting with "wikibase-entity-summary-" and similar prefixes. One practical approach is to review the content of system messages and autocomments for unescaped wiki link syntax inside HTML attributes. Specific commands are not provided in the resources, but manual inspection of the MediaWiki system messages and recent edit summaries (e.g., via Special:RecentChanges) for suspicious payloads like <pre tabindex="0" data-xss="[[#/autofocus/onfocus=alert(1);//">]]</pre> can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patches developed to escape system messages before inserting them into autocomments, which have been deployed in November 2025 and January 2026 across multiple branches (REL1_43, REL1_44, REL1_45, and master). If patching is not immediately possible, reviewing and sanitizing system messages to remove or escape wiki link syntax inside HTML attributes can reduce risk. Additionally, restricting privileges to trusted users and monitoring edit summaries for suspicious content can help mitigate impact until patches are applied. [1]