CVE-2026-39837
Received Received - Intake
Stored XSS in Mediawiki Cargo Extension Before

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: wikimedia-foundation

Description
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39837
EUVD
EUVD-2026-19927
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mediawiki cargo to 3.8.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the MediaWiki Cargo extension that allows attackers to inject malicious scripts which execute in users' browsers.

Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or manipulation of displayed content, which may result in breaches of confidentiality and integrity.

Consequently, this can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of data.

Organizations using affected versions of the MediaWiki Cargo extension should address this vulnerability promptly to maintain compliance with these standards.

Executive Summary

CVE-2026-39837 is a stored Cross-Site Scripting (XSS) vulnerability in the MediaWiki Cargo extension, specifically in its dynamic table format feature.

The vulnerability occurs because the dynamic table script uses non-reserved HTML5 data attributes (like `data-details`) to store HTML content that can include unsafe user input. Attackers can manipulate these attributes via wikitext to inject malicious scripts.

For example, an attacker can create a Cargo query that outputs a dynamic table row with a `data-details` attribute containing an image tag with an `onerror` JavaScript event handler. When a user interacts with this row, the malicious script executes, demonstrating stored XSS.

The root cause is that these non-reserved data attributes can be set through untrusted wikitext input, allowing persistent script injection.

The issue was fixed by replacing non-reserved `data-` attributes with reserved `data-mw-` attributes, which are protected by MediaWiki’s sanitizer and cannot be set via wikitext, preventing such injections.

Impact Analysis

This vulnerability allows attackers to inject and store malicious scripts within MediaWiki pages using the Cargo extension. When other users view or interact with the affected dynamic tables, the malicious scripts execute in their browsers.

Such stored XSS attacks can lead to unauthorized actions performed on behalf of users, theft of session cookies, defacement, or redirection to malicious sites.

Because the scripts persist in the content, the attack can affect multiple users over time, increasing the risk and impact.

Detection Guidance

This vulnerability can be detected by identifying stored Cross-Site Scripting (XSS) payloads embedded in dynamic tables generated by the MediaWiki Cargo extension. Specifically, look for HTML elements with non-reserved data attributes such as `data-details` containing suspicious script code or event handlers like `onerror` in image tags.

One way to detect the vulnerability is to search for pages or database entries containing Cargo queries that output dynamic tables with rows having `data-details` attributes embedding JavaScript event handlers (e.g., `<img src=x onerror=alert(2)>`).

Commands to help detect such payloads might include searching the MediaWiki database or exported content for suspicious patterns. For example, using grep on exported wikitext or HTML files:

  • grep -r 'data-details' /path/to/mediawiki/data | grep -i 'onerror'
  • grep -r '<img src=x onerror' /path/to/mediawiki/data

Additionally, monitoring HTTP responses for dynamic tables containing non-reserved `data-` attributes with embedded scripts when users interact with the tables can help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the MediaWiki Cargo extension to version 3.8.7 or later, where the issue is fixed.

The fix involves replacing non-reserved `data-` attributes with reserved `data-mw-` attributes (e.g., `data-mw-cargo-dynamic-table`) in the dynamic table format. These reserved attributes are sanitized by MediaWiki and cannot be set via wikitext, preventing injection of arbitrary HTML or scripts.

If upgrading immediately is not possible, consider disabling or restricting the use of dynamic tables in Cargo extension or sanitizing user input that can affect these data attributes.

Also, review and apply any patches related to Gerrit change #1237979 that address this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39837. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart