CVE-2026-39837
Stored XSS in Mediawiki Cargo Extension Before
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mediawiki | cargo | to 3.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) issue in the MediaWiki Cargo extension that allows attackers to inject malicious scripts which execute in users' browsers.
Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or manipulation of displayed content, which may result in breaches of confidentiality and integrity.
Consequently, this can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of data.
Organizations using affected versions of the MediaWiki Cargo extension should address this vulnerability promptly to maintain compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-39837 is a stored Cross-Site Scripting (XSS) vulnerability in the MediaWiki Cargo extension, specifically in its dynamic table format feature.
The vulnerability occurs because the dynamic table script uses non-reserved HTML5 data attributes (like `data-details`) to store HTML content that can include unsafe user input. Attackers can manipulate these attributes via wikitext to inject malicious scripts.
For example, an attacker can create a Cargo query that outputs a dynamic table row with a `data-details` attribute containing an image tag with an `onerror` JavaScript event handler. When a user interacts with this row, the malicious script executes, demonstrating stored XSS.
The root cause is that these non-reserved data attributes can be set through untrusted wikitext input, allowing persistent script injection.
The issue was fixed by replacing non-reserved `data-` attributes with reserved `data-mw-` attributes, which are protected by MediaWikiβs sanitizer and cannot be set via wikitext, preventing such injections.
How can this vulnerability impact me? :
This vulnerability allows attackers to inject and store malicious scripts within MediaWiki pages using the Cargo extension. When other users view or interact with the affected dynamic tables, the malicious scripts execute in their browsers.
Such stored XSS attacks can lead to unauthorized actions performed on behalf of users, theft of session cookies, defacement, or redirection to malicious sites.
Because the scripts persist in the content, the attack can affect multiple users over time, increasing the risk and impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying stored Cross-Site Scripting (XSS) payloads embedded in dynamic tables generated by the MediaWiki Cargo extension. Specifically, look for HTML elements with non-reserved data attributes such as `data-details` containing suspicious script code or event handlers like `onerror` in image tags.
One way to detect the vulnerability is to search for pages or database entries containing Cargo queries that output dynamic tables with rows having `data-details` attributes embedding JavaScript event handlers (e.g., `<img src=x onerror=alert(2)>`).
Commands to help detect such payloads might include searching the MediaWiki database or exported content for suspicious patterns. For example, using grep on exported wikitext or HTML files:
- grep -r 'data-details' /path/to/mediawiki/data | grep -i 'onerror'
- grep -r '<img src=x onerror' /path/to/mediawiki/data
Additionally, monitoring HTTP responses for dynamic tables containing non-reserved `data-` attributes with embedded scripts when users interact with the tables can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the MediaWiki Cargo extension to version 3.8.7 or later, where the issue is fixed.
The fix involves replacing non-reserved `data-` attributes with reserved `data-mw-` attributes (e.g., `data-mw-cargo-dynamic-table`) in the dynamic table format. These reserved attributes are sanitized by MediaWiki and cannot be set via wikitext, preventing injection of arbitrary HTML or scripts.
If upgrading immediately is not possible, consider disabling or restricting the use of dynamic tables in Cargo extension or sanitizing user input that can affect these data attributes.
Also, review and apply any patches related to Gerrit change #1237979 that address this vulnerability.