CVE-2026-22714
Unknown Unknown - Not Provided
Cross-Site Scripting in Mediawiki Monaco Skin Allows Code Injection

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: wikimedia-foundation

Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22714
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
the_wikimedia_foundation mediawiki_monaco_skin 1.39
the_wikimedia_foundation mediawiki_monaco_skin 1.43
the_wikimedia_foundation mediawiki_monaco_skin 1.44
the_wikimedia_foundation mediawiki_monaco_skin 1.45
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22714 involves multiple security issues in the Monaco skin for MediaWiki, including internationalization (i18n) cross-site scripting (XSS) vulnerabilities caused by improper handling of localized content, denial of service (DoS) errors triggered by uninitialized variables and undefined method calls, and a potential configuration SQL injection (SQLi) vulnerability. These flaws allow attackers to inject malicious scripts, cause the wiki to become inaccessible via the Monaco skin, and potentially manipulate database queries. Fixes have been applied to address these issues. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in users' browsers through XSS, potentially stealing sensitive information or performing unauthorized actions. The DoS issues can prevent users from accessing the wiki when using the Monaco skin, disrupting availability. Although the SQL injection is unlikely to be exploitable in practice, it could allow unauthorized database access or manipulation if triggered. [1]

Detection Guidance

Detection of CVE-2026-22714 involves checking for the presence of the vulnerable Monaco skin versions (1.39, 1.43, 1.44, 1.45) in your MediaWiki installation and monitoring for unusual errors or behavior related to the Monaco skin. Specific detection commands are not provided in the resources. However, you can inspect logs for PHP errors such as TypeErrors related to uninitialized variables in MonacoSidebar.php or fatal errors from undefined method calls in SkinMonaco.php. Additionally, testing for XSS by attempting to inject scripts into localized strings related to footer link text, view history, or permalink generation could help identify the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include applying the patch (T411126.patch) that addresses the vulnerabilities by initializing variables properly, correcting method calls, and sanitizing inputs to prevent XSS and SQL injection. If patching is not immediately possible, consider disabling the Monaco skin to prevent exploitation of these vulnerabilities. Also, avoid creating user pages named 'User:<username>/Monaco-toolbox' to prevent DoS. Monitoring and restricting configuration variables like $wgMonacoBiggestCategoriesBlacklist can reduce SQL injection risk. Upgrading to a fixed version or switching to a maintained skin is recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22714. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart