CVE-2026-22714
Cross-Site Scripting in Mediawiki Monaco Skin Allows Code Injection
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_wikimedia_foundation | mediawiki_monaco_skin | 1.39 |
| the_wikimedia_foundation | mediawiki_monaco_skin | 1.43 |
| the_wikimedia_foundation | mediawiki_monaco_skin | 1.44 |
| the_wikimedia_foundation | mediawiki_monaco_skin | 1.45 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22714 involves multiple security issues in the Monaco skin for MediaWiki, including internationalization (i18n) cross-site scripting (XSS) vulnerabilities caused by improper handling of localized content, denial of service (DoS) errors triggered by uninitialized variables and undefined method calls, and a potential configuration SQL injection (SQLi) vulnerability. These flaws allow attackers to inject malicious scripts, cause the wiki to become inaccessible via the Monaco skin, and potentially manipulate database queries. Fixes have been applied to address these issues. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in users' browsers through XSS, potentially stealing sensitive information or performing unauthorized actions. The DoS issues can prevent users from accessing the wiki when using the Monaco skin, disrupting availability. Although the SQL injection is unlikely to be exploitable in practice, it could allow unauthorized database access or manipulation if triggered. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-22714 involves checking for the presence of the vulnerable Monaco skin versions (1.39, 1.43, 1.44, 1.45) in your MediaWiki installation and monitoring for unusual errors or behavior related to the Monaco skin. Specific detection commands are not provided in the resources. However, you can inspect logs for PHP errors such as TypeErrors related to uninitialized variables in MonacoSidebar.php or fatal errors from undefined method calls in SkinMonaco.php. Additionally, testing for XSS by attempting to inject scripts into localized strings related to footer link text, view history, or permalink generation could help identify the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch (T411126.patch) that addresses the vulnerabilities by initializing variables properly, correcting method calls, and sanitizing inputs to prevent XSS and SQL injection. If patching is not immediately possible, consider disabling the Monaco skin to prevent exploitation of these vulnerabilities. Also, avoid creating user pages named 'User:<username>/Monaco-toolbox' to prevent DoS. Monitoring and restricting configuration variables like $wgMonacoBiggestCategoriesBlacklist can reduce SQL injection risk. Upgrading to a fixed version or switching to a maintained skin is recommended. [1]