Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30977 is a stored Cross-Site Scripting (XSS) vulnerability in the RenderBlocking MediaWiki extension when used with Inline Assets mode enabled. It occurs because malicious CSS content injected by a user with the "editsitecss" permission is not properly sanitized before being rendered. This allows the attacker to embed scripts that execute in the browsers of other users viewing the affected CSS pages.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from the use of unsafe methods to insert CSS and JavaScript inline into the page head, specifically using Html::rawElement, which allowed raw HTML injection. The issue was fixed by replacing these calls with safer methods that properly encode and sanitize the inline assets.'}] [1, 3]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows a user with high privileges (specifically the "editsitecss" permission) to inject malicious scripts into global CSS pages. These scripts then execute in the browsers of other users who view the affected pages.'}, {'type': 'paragraph', 'content': 'The impact is considered low severity, with potential low confidentiality and integrity risks. It could lead to unauthorized script execution, which might be used to steal information or manipulate the user interface, but it does not affect system availability.'}] [2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves stored Cross-Site Scripting (XSS) in MediaWiki's RenderBlocking extension when Inline Assets mode is enabled and a user with the editsitecss permission injects malicious content into CSS pages."}, {'type': 'paragraph', 'content': 'To detect this vulnerability, you should check if your MediaWiki installation uses RenderBlocking extension version 0.1.0 or earlier with the setting $wgRenderBlockingInlineAssets set to true.'}, {'type': 'paragraph', 'content': "You can inspect the content of the MediaWiki:Renderblocking.css page or other CSS pages editable by users with editsitecss rights for suspicious injected scripts such as sequences like '</style><script>alert(1)</script><style>'."}, {'type': 'paragraph', 'content': 'Since this is a stored XSS vulnerability, network detection might be limited, but you can use commands or scripts to fetch and scan the CSS pages for suspicious inline scripts.'}, {'type': 'list_item', 'content': 'Use curl or wget to retrieve the CSS page content, for example: curl -s https://yourwiki.example.com/wiki/MediaWiki:Renderblocking.css'}, {'type': 'list_item', 'content': "Search for suspicious script tags or unusual inline JavaScript using grep or similar tools: grep -E '</style><script|<script>alert' Renderblocking.css"}, {'type': 'list_item', 'content': 'Check the RenderBlocking extension version installed by querying your MediaWiki extensions or checking the version file.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the RenderBlocking extension to version 0.1.1 or later, where the vulnerability is fixed.

This update replaces unsafe raw HTML insertion methods with safe inline style and script encoding, preventing malicious script injection.

Additionally, restrict the editsitecss user rights to trusted administrators only, as the vulnerability requires this permission to exploit.

If upgrading immediately is not possible, consider disabling the Inline Assets mode by setting $wgRenderBlockingInlineAssets to false to prevent the vulnerability from being triggered.

Review and sanitize existing CSS pages editable by users with editsitecss rights to remove any injected malicious scripts.

Useful 0 Not Useful 0